0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658

General

Target

0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe
Size

935KB
MD5

77742d1e40101b58348be2ec37799863
SHA1

86ed1a78ea3c9e0002d58bbef72be080b7258f00
SHA256

0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658
SHA512

f4ddadb1ace43edbab5c775b3723eec5ace6e76105a755f620c835fc92db52a2890e1bc424e1c446dcec15ae8a6fc74fc6159652cde19308da1a85ea0940b7bb
SSDEEP

24576:VyrUx5tT6KIuNXpUIMIE2anYZSWZbVCsrwKvELib16i8:wrGV6KIw/E2aYZTF87Kv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1328	x2432713.exe
3852	x7430330.exe
1864	x0891553.exe
2212	g8710030.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7430330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0891553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2432713.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2140	2212	g8710030.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5116	2212	WerFault.exe	72
4692	2140	WerFault.exe	74

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1328	4984	0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe	69
PID 4984 wrote to memory of 1328	4984	0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe	69
PID 4984 wrote to memory of 1328	4984	0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe	69
PID 1328 wrote to memory of 3852	1328	x2432713.exe	70
PID 1328 wrote to memory of 3852	1328	x2432713.exe	70
PID 1328 wrote to memory of 3852	1328	x2432713.exe	70
PID 3852 wrote to memory of 1864	3852	x7430330.exe	71
PID 3852 wrote to memory of 1864	3852	x7430330.exe	71
PID 3852 wrote to memory of 1864	3852	x7430330.exe	71
PID 1864 wrote to memory of 2212	1864	x0891553.exe	72
PID 1864 wrote to memory of 2212	1864	x0891553.exe	72
PID 1864 wrote to memory of 2212	1864	x0891553.exe	72
PID 2212 wrote to memory of 2052	2212	g8710030.exe	73
PID 2212 wrote to memory of 2052	2212	g8710030.exe	73
PID 2212 wrote to memory of 2052	2212	g8710030.exe	73
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74
PID 2212 wrote to memory of 2140	2212	g8710030.exe	74

C:\Users\Admin\AppData\Local\Temp\0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe
"C:\Users\Admin\AppData\Local\Temp\0f11fd9aa8fead106fc837a20092f83391656b24b2bd6694bc86d3b9ebfb0658.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432713.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432713.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7430330.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7430330.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0891553.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0891553.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8710030.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8710030.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 568
        7⤵
        Program crash
        
        PID:4692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 572
        6⤵
        Program crash
        
        PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432713.exe

Filesize
837KB

MD5
fc034ad1d7c672c8aee62bd81cc4e00d

SHA1
ee1f76a136a2e1a732cacf6467e36cd25bce0b68

SHA256
e9af4f5d6b340f5ecffc6696c5d422ec67c808c6ee5fd3a842a1ca45577c8052

SHA512
560541b85150640c050cd077ae4f9c4b6d66eec08f29c9458ed5e0bdfa0d16b7c9abc73bf59e7455e2a61eb2308ddb3a4e2b786d0aa5c46e3be71efba354b96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432713.exe

Filesize
837KB

MD5
fc034ad1d7c672c8aee62bd81cc4e00d

SHA1
ee1f76a136a2e1a732cacf6467e36cd25bce0b68

SHA256
e9af4f5d6b340f5ecffc6696c5d422ec67c808c6ee5fd3a842a1ca45577c8052

SHA512
560541b85150640c050cd077ae4f9c4b6d66eec08f29c9458ed5e0bdfa0d16b7c9abc73bf59e7455e2a61eb2308ddb3a4e2b786d0aa5c46e3be71efba354b96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7430330.exe

Filesize
572KB

MD5
c71a96b3cf6c3f6c821804e66649d0cf

SHA1
25e445e593f763128c726c8b81b1604ed1d2e0da

SHA256
5837d0bfa4b3805999166feedb7805bd7e421953ba51ccbc05eff71900e3a2dd

SHA512
dfb5923b9fbbab8ffaed98f5e06539b6c8fa337ac3239a4c82c4be91243b90bdfaf887421d6d1c51406a4c656ea0d84c55be02d03fb5086eda2d0e0864878216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7430330.exe

Filesize
572KB

MD5
c71a96b3cf6c3f6c821804e66649d0cf

SHA1
25e445e593f763128c726c8b81b1604ed1d2e0da

SHA256
5837d0bfa4b3805999166feedb7805bd7e421953ba51ccbc05eff71900e3a2dd

SHA512
dfb5923b9fbbab8ffaed98f5e06539b6c8fa337ac3239a4c82c4be91243b90bdfaf887421d6d1c51406a4c656ea0d84c55be02d03fb5086eda2d0e0864878216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0891553.exe

Filesize
395KB

MD5
9e49b1d9dbdf784101cfa2c2454a1412

SHA1
36c60a61d661520baadf2260bb8af9a31a8a3620

SHA256
ecadb63580f379e3631f2005e2896e7d67afe366e65563d3f197568db827c374

SHA512
65fb86806abd626782b662c99f423919ccda0c582a284eef63c85d84fd6cf0ca22ed05cf5975527a447da0eaf773e39ebe368b241a1f98b3fdf3b3572e37527b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0891553.exe

Filesize
395KB

MD5
9e49b1d9dbdf784101cfa2c2454a1412

SHA1
36c60a61d661520baadf2260bb8af9a31a8a3620

SHA256
ecadb63580f379e3631f2005e2896e7d67afe366e65563d3f197568db827c374

SHA512
65fb86806abd626782b662c99f423919ccda0c582a284eef63c85d84fd6cf0ca22ed05cf5975527a447da0eaf773e39ebe368b241a1f98b3fdf3b3572e37527b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8710030.exe

Filesize
365KB

MD5
93b94faef8db73aefc9434c21b87ce5f

SHA1
48d5cd41e0bcef0ebbbc363e041ffbb8de2dcc3a

SHA256
a3089e08c3875d43462345b35cc6e7cc074275ed9850cba91ac3b21479aa10b5

SHA512
6813e203751f72332c8e7fd572fdc3d5b92fc6b6cebb4111f1b9bcdf83d01466c86367b4a006eb6d8feca93769af0d84e588b8e7373a8fdc40a966c7b797b127

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8710030.exe

Filesize
365KB

MD5
93b94faef8db73aefc9434c21b87ce5f

SHA1
48d5cd41e0bcef0ebbbc363e041ffbb8de2dcc3a

SHA256
a3089e08c3875d43462345b35cc6e7cc074275ed9850cba91ac3b21479aa10b5

SHA512
6813e203751f72332c8e7fd572fdc3d5b92fc6b6cebb4111f1b9bcdf83d01466c86367b4a006eb6d8feca93769af0d84e588b8e7373a8fdc40a966c7b797b127

Download Submit
memory/2140-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2140-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2140-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2140-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads