f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219

General

Target

f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe
Size

954KB
MD5

8a24b35449368e705c3c60a24e0619da
SHA1

dac5f1a4204826eb6ece8141663a01a8d2a478b0
SHA256

f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219
SHA512

4db45c573bd4b7c1090c6840d69198bc6273e0a7d68af71a12ca58731cb36d0f4997af71b63bbf14c5c0d3525cc47c770ac6f88fc6137d22bcbb290969c75b9b
SSDEEP

24576:hybsAU5WW0ee/OmDXF0IwzKqlbtd9Wb2AxdWq:UcSl2m50IwzKObtdo2G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3676	x2112296.exe
360	x9866590.exe
3668	x5192795.exe
4612	g4302783.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2112296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9866590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5192795.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4612 set thread context of 1252	4612	g4302783.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1152	4612	WerFault.exe	74
4236	1252	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 3676	2496	f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe	71
PID 2496 wrote to memory of 3676	2496	f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe	71
PID 2496 wrote to memory of 3676	2496	f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe	71
PID 3676 wrote to memory of 360	3676	x2112296.exe	72
PID 3676 wrote to memory of 360	3676	x2112296.exe	72
PID 3676 wrote to memory of 360	3676	x2112296.exe	72
PID 360 wrote to memory of 3668	360	x9866590.exe	73
PID 360 wrote to memory of 3668	360	x9866590.exe	73
PID 360 wrote to memory of 3668	360	x9866590.exe	73
PID 3668 wrote to memory of 4612	3668	x5192795.exe	74
PID 3668 wrote to memory of 4612	3668	x5192795.exe	74
PID 3668 wrote to memory of 4612	3668	x5192795.exe	74
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75
PID 4612 wrote to memory of 1252	4612	g4302783.exe	75

C:\Users\Admin\AppData\Local\Temp\f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe
"C:\Users\Admin\AppData\Local\Temp\f35cf7c679c46b6353a5695c30596f6d33debaf893ac89764efbf0b67b6ab219.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2112296.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2112296.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9866590.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9866590.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5192795.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5192795.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4302783.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4302783.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 568
        7⤵
        Program crash
        
        PID:4236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 580
        6⤵
        Program crash
        
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2112296.exe

Filesize
852KB

MD5
68c64fda651aa8d2050161a19f8c9ab6

SHA1
7d01bfa6037d9790e49bb3db48449993d65954fc

SHA256
c13908b3f755111e470645edd1a9a45a963ad42d6d974572b57bcefbf244347c

SHA512
b2804c2ce7aa3f8ba812febd3d85673edf3f77ea14e0210c5337394c55ecc6075f74c0bc78b0687e4bd78dad48da264efbe7a78664031f2904b5ce58fb03001d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2112296.exe

Filesize
852KB

MD5
68c64fda651aa8d2050161a19f8c9ab6

SHA1
7d01bfa6037d9790e49bb3db48449993d65954fc

SHA256
c13908b3f755111e470645edd1a9a45a963ad42d6d974572b57bcefbf244347c

SHA512
b2804c2ce7aa3f8ba812febd3d85673edf3f77ea14e0210c5337394c55ecc6075f74c0bc78b0687e4bd78dad48da264efbe7a78664031f2904b5ce58fb03001d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9866590.exe

Filesize
589KB

MD5
cef48b394fbb6126a9e3b6d061fd881b

SHA1
786642bf8af65b92e8a883f29473564f62fecf84

SHA256
51a696f89f828eee0166ec341d87002299a39025c94f47c9531bf76224c7ad05

SHA512
b983a5e9056e08bce4877ee7370d98bb70e81fdd3434068f3c9e1c51243d1e8b1150aeb205cc773260d854a5a06233681ccf3e20f9769c6c60c2ae8416e603f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9866590.exe

Filesize
589KB

MD5
cef48b394fbb6126a9e3b6d061fd881b

SHA1
786642bf8af65b92e8a883f29473564f62fecf84

SHA256
51a696f89f828eee0166ec341d87002299a39025c94f47c9531bf76224c7ad05

SHA512
b983a5e9056e08bce4877ee7370d98bb70e81fdd3434068f3c9e1c51243d1e8b1150aeb205cc773260d854a5a06233681ccf3e20f9769c6c60c2ae8416e603f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5192795.exe

Filesize
403KB

MD5
ccc7533ab6e90adcf64b1baff0e54107

SHA1
0818e4ef2dc729a9bc7bb77d01b60420b5e25d73

SHA256
f7f1c34e9be43085c8550f783c903f524bed06446796f5b147dba17c5db39ac7

SHA512
b252bb47665dc5673480b9e7d51ce1dda84a5ae0c3020a8c7b96c193e43f2ff7a4d3db3fdfdace57a0687c0e2663f3458cb0b8441477f6951a4bf013ab029338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5192795.exe

Filesize
403KB

MD5
ccc7533ab6e90adcf64b1baff0e54107

SHA1
0818e4ef2dc729a9bc7bb77d01b60420b5e25d73

SHA256
f7f1c34e9be43085c8550f783c903f524bed06446796f5b147dba17c5db39ac7

SHA512
b252bb47665dc5673480b9e7d51ce1dda84a5ae0c3020a8c7b96c193e43f2ff7a4d3db3fdfdace57a0687c0e2663f3458cb0b8441477f6951a4bf013ab029338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4302783.exe

Filesize
378KB

MD5
f8f742fc0ab071d0a7a6fb9af3b42f58

SHA1
b8ef8820176459431e537cb438b22aeb0ac2167a

SHA256
397bd2db2a66bd254bf19b617387a27f9fb1092bbebc0cf2b65ed68f6f56dc55

SHA512
67e986abf86368ea41415b58eb4afb582b82cc6f415582921f2f8da7cbc9bf1e18dbfa60cd4c1cfb18457af88b04b4e935f061c92362ddc96751512c39dd7891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4302783.exe

Filesize
378KB

MD5
f8f742fc0ab071d0a7a6fb9af3b42f58

SHA1
b8ef8820176459431e537cb438b22aeb0ac2167a

SHA256
397bd2db2a66bd254bf19b617387a27f9fb1092bbebc0cf2b65ed68f6f56dc55

SHA512
67e986abf86368ea41415b58eb4afb582b82cc6f415582921f2f8da7cbc9bf1e18dbfa60cd4c1cfb18457af88b04b4e935f061c92362ddc96751512c39dd7891

Download Submit
memory/1252-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads