3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de

General

Target

3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe
Size

1.0MB
MD5

b1aabf6929659dc9bcecc76553bb6ce7
SHA1

04f1b0a778a190d6533809b5bf93b0723166164b
SHA256

3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de
SHA512

181a1a5e2c69e98a2256982372ce6e7cd7a702243737b3b413e1c6954cb48b63b981caf400bdf570cff392476aaf9808cef82c22d9739ea823e547ee2d9d6521
SSDEEP

12288:mMrdy90TmnwdTaFkmxR2ysZnMkIbuGuqqTZ0snt6aC8guXiZYcbkTlVBH6fLRoXs:DyEWwxiRvuBnte8zXgYbVBHsWX0T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3960	x1626020.exe
3704	x0772866.exe
708	x0000309.exe
4288	g4496899.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1626020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0772866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0000309.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 4760	4288	g4496899.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2016	4288	WerFault.exe	74
3064	4760	WerFault.exe	76

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3960	4604	3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe	71
PID 4604 wrote to memory of 3960	4604	3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe	71
PID 4604 wrote to memory of 3960	4604	3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe	71
PID 3960 wrote to memory of 3704	3960	x1626020.exe	72
PID 3960 wrote to memory of 3704	3960	x1626020.exe	72
PID 3960 wrote to memory of 3704	3960	x1626020.exe	72
PID 3704 wrote to memory of 708	3704	x0772866.exe	73
PID 3704 wrote to memory of 708	3704	x0772866.exe	73
PID 3704 wrote to memory of 708	3704	x0772866.exe	73
PID 708 wrote to memory of 4288	708	x0000309.exe	74
PID 708 wrote to memory of 4288	708	x0000309.exe	74
PID 708 wrote to memory of 4288	708	x0000309.exe	74
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76
PID 4288 wrote to memory of 4760	4288	g4496899.exe	76

C:\Users\Admin\AppData\Local\Temp\3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe
"C:\Users\Admin\AppData\Local\Temp\3d1679201b08d09b0de3cbb9b691de9cfa30275e5eb6be151304768b68e162de.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1626020.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1626020.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0772866.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0772866.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0000309.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0000309.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4496899.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4496899.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 568
        7⤵
        Program crash
        
        PID:3064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 580
        6⤵
        Program crash
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1626020.exe

Filesize
931KB

MD5
7ca2403c8b72449372dbd829a6892f09

SHA1
f41771c325904181051fa90407db2557f9eab146

SHA256
4fbd689306005aed9bfa398434530ffa23f189e3e230db48559917a3dee9d3b4

SHA512
e3d066fc31e9efbd75fa2ed99f9c0599000828afc5273acd58929f08dfab8332961283d619c87f42b12d02eacc4166626979c89f5ca2c1e541d8cd1aa908d90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1626020.exe

Filesize
931KB

MD5
7ca2403c8b72449372dbd829a6892f09

SHA1
f41771c325904181051fa90407db2557f9eab146

SHA256
4fbd689306005aed9bfa398434530ffa23f189e3e230db48559917a3dee9d3b4

SHA512
e3d066fc31e9efbd75fa2ed99f9c0599000828afc5273acd58929f08dfab8332961283d619c87f42b12d02eacc4166626979c89f5ca2c1e541d8cd1aa908d90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0772866.exe

Filesize
627KB

MD5
3e1fe6be0a57ba3fa23e43f1ca9fb947

SHA1
dab8b27b6b379b9f70a73465816a68336427e739

SHA256
cb725df00224f3d3ff311bffcf6b1a866d639b808639a15a1e1c829d4496b7c7

SHA512
b6bf52a973a0555bca1c79daff4cae37e4e1324e4cb6b9edc1c46e3e1fc84d0c128f83e2acb85b5500219f19e1cd1292fce3ea1548f074c33badf38b8225b77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0772866.exe

Filesize
627KB

MD5
3e1fe6be0a57ba3fa23e43f1ca9fb947

SHA1
dab8b27b6b379b9f70a73465816a68336427e739

SHA256
cb725df00224f3d3ff311bffcf6b1a866d639b808639a15a1e1c829d4496b7c7

SHA512
b6bf52a973a0555bca1c79daff4cae37e4e1324e4cb6b9edc1c46e3e1fc84d0c128f83e2acb85b5500219f19e1cd1292fce3ea1548f074c33badf38b8225b77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0000309.exe

Filesize
442KB

MD5
6875d49d6688862a554002534a95b80e

SHA1
2605362ac340c23574a4c2dd937b6623d8664229

SHA256
88e504177053f7632d8dc5eb9064fdb71545ffaf23ca79574e489a7aad9b7cc1

SHA512
78e014c2f85ca4ce1a4e8ea1c3724952024facd9b1bae9bf10e1a3d075afae3ffe368a458f8f5e9d1a41a9718faf4768e38182e7143331674cb9f1cef1220a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0000309.exe

Filesize
442KB

MD5
6875d49d6688862a554002534a95b80e

SHA1
2605362ac340c23574a4c2dd937b6623d8664229

SHA256
88e504177053f7632d8dc5eb9064fdb71545ffaf23ca79574e489a7aad9b7cc1

SHA512
78e014c2f85ca4ce1a4e8ea1c3724952024facd9b1bae9bf10e1a3d075afae3ffe368a458f8f5e9d1a41a9718faf4768e38182e7143331674cb9f1cef1220a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4496899.exe

Filesize
700KB

MD5
be5d611087e642b7a3bfc8a15721e2ca

SHA1
ecda73df9484a36131972731e13ff731d64184ca

SHA256
dfc4d56c86228e0879364b702c8a62d9bec22881e70c64a6b536214fd927b0e9

SHA512
8fee639c3de96eb35b90b399384b328e6e79b2262f6c9df0249afee0979f6d5260c983c7fe2b4cc02cdb86f5740528dca7dea81ac2a67a9c2073fa096b774b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4496899.exe

Filesize
700KB

MD5
be5d611087e642b7a3bfc8a15721e2ca

SHA1
ecda73df9484a36131972731e13ff731d64184ca

SHA256
dfc4d56c86228e0879364b702c8a62d9bec22881e70c64a6b536214fd927b0e9

SHA512
8fee639c3de96eb35b90b399384b328e6e79b2262f6c9df0249afee0979f6d5260c983c7fe2b4cc02cdb86f5740528dca7dea81ac2a67a9c2073fa096b774b06

Download Submit
memory/4760-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads