2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175

General

Target

2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe
Size

1.0MB
MD5

03c76cb00828ee495157dbcd95bab12f
SHA1

5f62bf5b238647197614fa5678ebe2a40129da07
SHA256

2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175
SHA512

127dec62fd1ab555739406e8c131fdbbd57a820fb341b24c8101ab816ada48c1c37360a1b7d6314c8d9fdd017cdce9105f5a9c21a07545bd4085e5bba60e5d95
SSDEEP

24576:syRN2kOcY45WP1N31Q1FizLm5RGAszt43Hb:bRN2kLuDGFZ5QAsh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5004	x9419076.exe
3216	x3524317.exe
1608	x0530824.exe
3456	g9440397.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9419076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3524317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0530824.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3456 set thread context of 1512	3456	g9440397.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4128	3456	WerFault.exe	73
556	1512	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 5004	4444	2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe	70
PID 4444 wrote to memory of 5004	4444	2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe	70
PID 4444 wrote to memory of 5004	4444	2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe	70
PID 5004 wrote to memory of 3216	5004	x9419076.exe	71
PID 5004 wrote to memory of 3216	5004	x9419076.exe	71
PID 5004 wrote to memory of 3216	5004	x9419076.exe	71
PID 3216 wrote to memory of 1608	3216	x3524317.exe	72
PID 3216 wrote to memory of 1608	3216	x3524317.exe	72
PID 3216 wrote to memory of 1608	3216	x3524317.exe	72
PID 1608 wrote to memory of 3456	1608	x0530824.exe	73
PID 1608 wrote to memory of 3456	1608	x0530824.exe	73
PID 1608 wrote to memory of 3456	1608	x0530824.exe	73
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75
PID 3456 wrote to memory of 1512	3456	g9440397.exe	75

C:\Users\Admin\AppData\Local\Temp\2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe
"C:\Users\Admin\AppData\Local\Temp\2b0e9e0bb11799fc29f783af7f233b7a59c602b6d4d60a78f60bff87cff3e175.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9419076.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9419076.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3524317.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3524317.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0530824.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0530824.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9440397.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9440397.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 568
        7⤵
        Program crash
        
        PID:556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 132
        6⤵
        Program crash
        
        PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9419076.exe

Filesize
933KB

MD5
f8d589a118472a3d75f96ae0caabee3f

SHA1
c3f6588867cd4f5e4778a4904814edb52f1e4571

SHA256
2709325bbfcb3d4a52faab3a9f6b7bfdf8cb72f289ddcc7087075b302fa8c271

SHA512
32143ffdab4ec25dd8a75b6a17dd5396b5297f78d6c5a9d9d0ec91c50a92d6cb59b485ae191dbd35460876284f44f070b2a5eff3ac652eb9db710d50096d34bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9419076.exe

Filesize
933KB

MD5
f8d589a118472a3d75f96ae0caabee3f

SHA1
c3f6588867cd4f5e4778a4904814edb52f1e4571

SHA256
2709325bbfcb3d4a52faab3a9f6b7bfdf8cb72f289ddcc7087075b302fa8c271

SHA512
32143ffdab4ec25dd8a75b6a17dd5396b5297f78d6c5a9d9d0ec91c50a92d6cb59b485ae191dbd35460876284f44f070b2a5eff3ac652eb9db710d50096d34bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3524317.exe

Filesize
628KB

MD5
d4e9ab544e91a0ed0581befba72414ae

SHA1
26ddbbf7bd8c054dc44f11cafb20f3012053c513

SHA256
d8f7c18d54b5c9878444cb3d3d532b48a7ea0568d0eb2af8b712b4fd8be8e9b7

SHA512
1cee37e2e7c5959ce322c607845ceaf2b7f090572ed598d3405f3407dcf06831b02102fcb0e74e46ea40f81f7a38a13c35cf634682f2f5dde09a393f14c21e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3524317.exe

Filesize
628KB

MD5
d4e9ab544e91a0ed0581befba72414ae

SHA1
26ddbbf7bd8c054dc44f11cafb20f3012053c513

SHA256
d8f7c18d54b5c9878444cb3d3d532b48a7ea0568d0eb2af8b712b4fd8be8e9b7

SHA512
1cee37e2e7c5959ce322c607845ceaf2b7f090572ed598d3405f3407dcf06831b02102fcb0e74e46ea40f81f7a38a13c35cf634682f2f5dde09a393f14c21e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0530824.exe

Filesize
443KB

MD5
6363597f8cb3716b0deecb22c1ae793b

SHA1
e2123e3939d5076d1fd4cd38b92198adfbc1b2ac

SHA256
f5734e5bf3d31dc4cb92c6c3d73774070f2dd852f6627364fd5dc7f2a59ce1dc

SHA512
0aaedb9cd97549a707599fa2a853e8a9bb8b0559546f39d750ab3d8d3e2934d3c351f0c73b3297ee8ebfed2e5a829229899ecf48d8d6bfc489c7152f2c38514a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0530824.exe

Filesize
443KB

MD5
6363597f8cb3716b0deecb22c1ae793b

SHA1
e2123e3939d5076d1fd4cd38b92198adfbc1b2ac

SHA256
f5734e5bf3d31dc4cb92c6c3d73774070f2dd852f6627364fd5dc7f2a59ce1dc

SHA512
0aaedb9cd97549a707599fa2a853e8a9bb8b0559546f39d750ab3d8d3e2934d3c351f0c73b3297ee8ebfed2e5a829229899ecf48d8d6bfc489c7152f2c38514a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9440397.exe

Filesize
700KB

MD5
9c49d62a59d137c237163f6702b13c5b

SHA1
e4a94f5f8f4a8cf38aa331b24e0a25f8d182aef5

SHA256
3bca23cc4c4e0e8c302128a9d2661bdbc0462c5d8f7ff5465b67865bd1c0855a

SHA512
e252b725cf2d8fe4c9e3beb4eebe6e1dd5bc7f1fb939a386f257073e69c3f6b406cc5fe6756a1b6e85beca8a21e87a9814b027d1327a60b1d800162cfb7e35eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9440397.exe

Filesize
700KB

MD5
9c49d62a59d137c237163f6702b13c5b

SHA1
e4a94f5f8f4a8cf38aa331b24e0a25f8d182aef5

SHA256
3bca23cc4c4e0e8c302128a9d2661bdbc0462c5d8f7ff5465b67865bd1c0855a

SHA512
e252b725cf2d8fe4c9e3beb4eebe6e1dd5bc7f1fb939a386f257073e69c3f6b406cc5fe6756a1b6e85beca8a21e87a9814b027d1327a60b1d800162cfb7e35eb

Download Submit
memory/1512-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads