f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a

General

Target

f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe
Size

938KB
MD5

ef55dbd397df39db2440c09567775df9
SHA1

0325096cdd94a1cff3574ff410b9d81c7dd03cb4
SHA256

f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a
SHA512

8e4bbfb4eda3ce1f6e9a5f0d449addfd6427451a35236b7ff975d23e6908edb4c6c6447be644c10dc2ed68a7ade97bf64d621d255c412c7f38658c0989058923
SSDEEP

12288:ZMrMy90FDK78hZVoBPArOaITZ4DqqyE1WomniQQjbpMdAyHA+tA9hxL566Pi6JqR:NyN4hZV5UESNilN+tm5s6QI1K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4988	x2287356.exe
5108	x9188735.exe
4932	x1642429.exe
4524	g8402262.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9188735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1642429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2287356.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 3752	4524	g8402262.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2456	4524	WerFault.exe	73
2972	3752	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 4988	1232	f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe	70
PID 1232 wrote to memory of 4988	1232	f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe	70
PID 1232 wrote to memory of 4988	1232	f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe	70
PID 4988 wrote to memory of 5108	4988	x2287356.exe	71
PID 4988 wrote to memory of 5108	4988	x2287356.exe	71
PID 4988 wrote to memory of 5108	4988	x2287356.exe	71
PID 5108 wrote to memory of 4932	5108	x9188735.exe	72
PID 5108 wrote to memory of 4932	5108	x9188735.exe	72
PID 5108 wrote to memory of 4932	5108	x9188735.exe	72
PID 4932 wrote to memory of 4524	4932	x1642429.exe	73
PID 4932 wrote to memory of 4524	4932	x1642429.exe	73
PID 4932 wrote to memory of 4524	4932	x1642429.exe	73
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74
PID 4524 wrote to memory of 3752	4524	g8402262.exe	74

C:\Users\Admin\AppData\Local\Temp\f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe
"C:\Users\Admin\AppData\Local\Temp\f56c305cd4a0823c417752f70824eb713713e63ddb551a27e0a3cd7b76417b3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2287356.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2287356.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188735.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1642429.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1642429.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8402262.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8402262.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 568
        7⤵
        Program crash
        
        PID:2972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 552
        6⤵
        Program crash
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2287356.exe

Filesize
836KB

MD5
a087c26628ffd9b843c131bf67d5644d

SHA1
adc85152f0ef23778db13e7f1540ece65a466730

SHA256
cccb67cdd40ea5f595bdf807736f9b2d87558e948ff4f45540ea7a6ee5aafc1b

SHA512
c6bd24fbc334d6aa79d5c168bb3b889677057a8c1a010dbedbca93e06e25802db51164263e60e041551f0c99ef5c7ad872390c940e40366b7db706dd85ea8123

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2287356.exe

Filesize
836KB

MD5
a087c26628ffd9b843c131bf67d5644d

SHA1
adc85152f0ef23778db13e7f1540ece65a466730

SHA256
cccb67cdd40ea5f595bdf807736f9b2d87558e948ff4f45540ea7a6ee5aafc1b

SHA512
c6bd24fbc334d6aa79d5c168bb3b889677057a8c1a010dbedbca93e06e25802db51164263e60e041551f0c99ef5c7ad872390c940e40366b7db706dd85ea8123

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188735.exe

Filesize
571KB

MD5
3a544f922521ce4481584002ef73b561

SHA1
f44f1df6ca50d69ad445f0431ad63cdaa294bd77

SHA256
02669a29282af563035bed4c2c17feb480eff24feb003c885cea0bdfedb8fb98

SHA512
145aa0f0a22fd1507f7b1688e99db12213c1129d721e09cd06314038460e1b4ea01115d52be89590feec55815421f9ec1eaa1cb4b527a0c2a40a7481ea448b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188735.exe

Filesize
571KB

MD5
3a544f922521ce4481584002ef73b561

SHA1
f44f1df6ca50d69ad445f0431ad63cdaa294bd77

SHA256
02669a29282af563035bed4c2c17feb480eff24feb003c885cea0bdfedb8fb98

SHA512
145aa0f0a22fd1507f7b1688e99db12213c1129d721e09cd06314038460e1b4ea01115d52be89590feec55815421f9ec1eaa1cb4b527a0c2a40a7481ea448b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1642429.exe

Filesize
394KB

MD5
4af69ff0bdff907bc253b75656aa14ff

SHA1
34e285b1c004c17fa3a2b86e66ebbd85822fe52e

SHA256
0e1069fc479308643b65bad4754893d8c3319c4112477d0291f708a635c9b69d

SHA512
95e12759a9ff88e5147fef2c2ec46539092beec897ec1749338d9af012f621955badf13000adb26df499afa769877922b33d32de3a3a51bf078d22ddba62d19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1642429.exe

Filesize
394KB

MD5
4af69ff0bdff907bc253b75656aa14ff

SHA1
34e285b1c004c17fa3a2b86e66ebbd85822fe52e

SHA256
0e1069fc479308643b65bad4754893d8c3319c4112477d0291f708a635c9b69d

SHA512
95e12759a9ff88e5147fef2c2ec46539092beec897ec1749338d9af012f621955badf13000adb26df499afa769877922b33d32de3a3a51bf078d22ddba62d19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8402262.exe

Filesize
365KB

MD5
d9b8fd5b9c81ae17abb3ecb1b0787ee4

SHA1
37e2ca1afb3ae19847a3f9ca50872c63f5266505

SHA256
6e477c5a93e5e9d66d2dcc92d7a2613a47c3b583d80458a129e991d24b842e71

SHA512
a87beb6967ee0aacd4397475b1bc0a3447b776a983ab7d029eda615c5457da35846c1a72a3bcf25bb6702c588c1179f402f0b03834bc29010c5d69b7200ae60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8402262.exe

Filesize
365KB

MD5
d9b8fd5b9c81ae17abb3ecb1b0787ee4

SHA1
37e2ca1afb3ae19847a3f9ca50872c63f5266505

SHA256
6e477c5a93e5e9d66d2dcc92d7a2613a47c3b583d80458a129e991d24b842e71

SHA512
a87beb6967ee0aacd4397475b1bc0a3447b776a983ab7d029eda615c5457da35846c1a72a3bcf25bb6702c588c1179f402f0b03834bc29010c5d69b7200ae60a

Download Submit
memory/3752-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3752-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3752-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3752-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads