ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c

General

Target

ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe
Size

938KB
MD5

2ec0f6764b6cff6bd343ce0ad8d75cdf
SHA1

ec630a174a11e34c294dd54dbc7acc86a3201bc5
SHA256

ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c
SHA512

369d690e6352aa10b719e3087d77880e00755cc03b1f4db97549586ab5991f1201c264483240a637933fb13e36394fbddc850a2ac86c2e87cdee985c52c6806f
SSDEEP

12288:OMriy90Sns3+5GiD6eD87R4Fwrzs9/UkE13fBPsNnFGQSRCmtS9ex2KT3QT9OK2S:wy3sO3Q9VHsE3B0ncQSRCl9ex2CY9NF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4548	x3322071.exe
3288	x1743551.exe
5072	x0712862.exe
4792	g9432397.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1743551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0712862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3322071.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 4304	4792	g9432397.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3264	4792	WerFault.exe	73
4120	4304	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4548	4924	ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe	70
PID 4924 wrote to memory of 4548	4924	ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe	70
PID 4924 wrote to memory of 4548	4924	ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe	70
PID 4548 wrote to memory of 3288	4548	x3322071.exe	71
PID 4548 wrote to memory of 3288	4548	x3322071.exe	71
PID 4548 wrote to memory of 3288	4548	x3322071.exe	71
PID 3288 wrote to memory of 5072	3288	x1743551.exe	72
PID 3288 wrote to memory of 5072	3288	x1743551.exe	72
PID 3288 wrote to memory of 5072	3288	x1743551.exe	72
PID 5072 wrote to memory of 4792	5072	x0712862.exe	73
PID 5072 wrote to memory of 4792	5072	x0712862.exe	73
PID 5072 wrote to memory of 4792	5072	x0712862.exe	73
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74
PID 4792 wrote to memory of 4304	4792	g9432397.exe	74

C:\Users\Admin\AppData\Local\Temp\ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe
"C:\Users\Admin\AppData\Local\Temp\ee9f89e6b0f995d06db40474a2cbd34f9722f40c1562180dc9e9fe5bd2afc95c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3322071.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3322071.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1743551.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1743551.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0712862.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0712862.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9432397.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9432397.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 568
        7⤵
        Program crash
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 552
        6⤵
        Program crash
        
        PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3322071.exe

Filesize
836KB

MD5
c7dc81251fca492446c174acfb51a9dc

SHA1
db4cadefc805f517313990fc900d4f4314f610a9

SHA256
e56d22c2c04293539855871947275b394ec41747e3371e72b92fbb3622d067e1

SHA512
bafaa317ecc25f6215b72c1afd609b85d473ae721b4b039e61b655271cac3ef04a09e596ad9c801e99bac60db7fe5effd4f18d865ed40dd278e06d14041ded5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3322071.exe

Filesize
836KB

MD5
c7dc81251fca492446c174acfb51a9dc

SHA1
db4cadefc805f517313990fc900d4f4314f610a9

SHA256
e56d22c2c04293539855871947275b394ec41747e3371e72b92fbb3622d067e1

SHA512
bafaa317ecc25f6215b72c1afd609b85d473ae721b4b039e61b655271cac3ef04a09e596ad9c801e99bac60db7fe5effd4f18d865ed40dd278e06d14041ded5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1743551.exe

Filesize
571KB

MD5
eeb6edaac37751ca3c943815ee94d0d0

SHA1
694058a739f5bbe65202fd064b5077e6f78d33ef

SHA256
a7ce2cc7b9c78cd906283c9ecc7cca7f0c524f0083f2a496ea8bb346aa934578

SHA512
1fb6109e00451ee9db35bcfe5460b1797db5ea486c120bba1c45a81303e725ceb720cfa93da12867567b0c43a5bd8fcedcf403a356d97592d52992fa9549046b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1743551.exe

Filesize
571KB

MD5
eeb6edaac37751ca3c943815ee94d0d0

SHA1
694058a739f5bbe65202fd064b5077e6f78d33ef

SHA256
a7ce2cc7b9c78cd906283c9ecc7cca7f0c524f0083f2a496ea8bb346aa934578

SHA512
1fb6109e00451ee9db35bcfe5460b1797db5ea486c120bba1c45a81303e725ceb720cfa93da12867567b0c43a5bd8fcedcf403a356d97592d52992fa9549046b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0712862.exe

Filesize
394KB

MD5
52dc3f13fd429faeeb0691e0109f2422

SHA1
779d7b576530c8d01cd506152441b54a4675532f

SHA256
0cfb7396074cd02268f5760d9c8f87cd1a91c2d1c4c4395b415e6326d1dd0838

SHA512
8432dd2b197990a9f39dd9bb886b8329f1823fda0cad83984fcd1ea637f123835a5222f923cfa644e9933119c8edb90b98bcabeb347c10d2fb28fd7261f74404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0712862.exe

Filesize
394KB

MD5
52dc3f13fd429faeeb0691e0109f2422

SHA1
779d7b576530c8d01cd506152441b54a4675532f

SHA256
0cfb7396074cd02268f5760d9c8f87cd1a91c2d1c4c4395b415e6326d1dd0838

SHA512
8432dd2b197990a9f39dd9bb886b8329f1823fda0cad83984fcd1ea637f123835a5222f923cfa644e9933119c8edb90b98bcabeb347c10d2fb28fd7261f74404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9432397.exe

Filesize
365KB

MD5
c470aa98dc5d8a2669042b97943b5876

SHA1
90b7158d17143d4e91a18e959b12adfd03fb7227

SHA256
d6774215a9ab7abadab4274aabdbddfd21873ecf5a624a726434a49f2da663e5

SHA512
00dfc6977d0e588aeaf96e6061d9677a352e8cfd3cca9eb2ac5ec73bd79afafba9affcdd4baa2aa959fab2f42b3984ef9abe8b78c562de5598e04c710dbb2447

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9432397.exe

Filesize
365KB

MD5
c470aa98dc5d8a2669042b97943b5876

SHA1
90b7158d17143d4e91a18e959b12adfd03fb7227

SHA256
d6774215a9ab7abadab4274aabdbddfd21873ecf5a624a726434a49f2da663e5

SHA512
00dfc6977d0e588aeaf96e6061d9677a352e8cfd3cca9eb2ac5ec73bd79afafba9affcdd4baa2aa959fab2f42b3984ef9abe8b78c562de5598e04c710dbb2447

Download Submit
memory/4304-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4304-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4304-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4304-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads