2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac

General

Target

2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe
Size

937KB
MD5

c8623f56dfdb8ceb9460bc79455d1d08
SHA1

e3d3aae075500a7df8f2839bacd71ada439e6019
SHA256

2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac
SHA512

ab279008eae49c785652b8681283fe297b21fb3941cacf6e089c0b7938fcc4b95bc17c9c0c19c85de77691622b2f081c1a7197155155f15cc271ab4aeda6f1a4
SSDEEP

24576:QyYDf/wwZWaggWTNrJeXs1wCGeWWJpdUpt:XgS9gWJrJeXsmCGGJ8p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2808	x5050682.exe
4884	x7399270.exe
2236	x7513767.exe
1108	g5803156.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5050682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7399270.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7513767.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 4864	1108	g5803156.exe	73

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4536	1108	WerFault.exe	72
3952	4864	WerFault.exe	73

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2808	4104	2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe	69
PID 4104 wrote to memory of 2808	4104	2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe	69
PID 4104 wrote to memory of 2808	4104	2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe	69
PID 2808 wrote to memory of 4884	2808	x5050682.exe	70
PID 2808 wrote to memory of 4884	2808	x5050682.exe	70
PID 2808 wrote to memory of 4884	2808	x5050682.exe	70
PID 4884 wrote to memory of 2236	4884	x7399270.exe	71
PID 4884 wrote to memory of 2236	4884	x7399270.exe	71
PID 4884 wrote to memory of 2236	4884	x7399270.exe	71
PID 2236 wrote to memory of 1108	2236	x7513767.exe	72
PID 2236 wrote to memory of 1108	2236	x7513767.exe	72
PID 2236 wrote to memory of 1108	2236	x7513767.exe	72
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73
PID 1108 wrote to memory of 4864	1108	g5803156.exe	73

C:\Users\Admin\AppData\Local\Temp\2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe
"C:\Users\Admin\AppData\Local\Temp\2b3309edbf22de898d3fbde8a7f6416abd99b31c364680a32e498d23512f1cac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5050682.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5050682.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7399270.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7399270.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7513767.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7513767.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5803156.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5803156.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 568
        7⤵
        Program crash
        
        PID:3952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 552
        6⤵
        Program crash
        
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5050682.exe

Filesize
836KB

MD5
ec6c59e8d8f32396bad1682dbb030565

SHA1
5fd218d30844cf7b72b86bc9bf432db7fb6f5796

SHA256
86f41d2f66ee9887b3f22f2e7cbd2034f637c4f13d810574c51449813ca54762

SHA512
695d0cae00c85f4e95f64630396c2b12bf2eb09c406f67c654cc9ddcdfae9aa60de84b0b6841c8d33004a7be14b7dbaa858ef5cf7eac8861c15c4bc5cf64c022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5050682.exe

Filesize
836KB

MD5
ec6c59e8d8f32396bad1682dbb030565

SHA1
5fd218d30844cf7b72b86bc9bf432db7fb6f5796

SHA256
86f41d2f66ee9887b3f22f2e7cbd2034f637c4f13d810574c51449813ca54762

SHA512
695d0cae00c85f4e95f64630396c2b12bf2eb09c406f67c654cc9ddcdfae9aa60de84b0b6841c8d33004a7be14b7dbaa858ef5cf7eac8861c15c4bc5cf64c022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7399270.exe

Filesize
571KB

MD5
8c574b3925a313f55fda82b9ca83be44

SHA1
460a5b81009d845d5190a014faea75f47ff57635

SHA256
77ad9b6d778b2ac88e0a5bd8e3069729aa8402e28bd445594726aec815421cd1

SHA512
3d0ed5e83da88b7205844cfa57378289fec85162c27e851e9a0dd0a4fba463fc984ebd7e42f3038ba851170d57684f551316c97325d716eafbd14a1615c5b00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7399270.exe

Filesize
571KB

MD5
8c574b3925a313f55fda82b9ca83be44

SHA1
460a5b81009d845d5190a014faea75f47ff57635

SHA256
77ad9b6d778b2ac88e0a5bd8e3069729aa8402e28bd445594726aec815421cd1

SHA512
3d0ed5e83da88b7205844cfa57378289fec85162c27e851e9a0dd0a4fba463fc984ebd7e42f3038ba851170d57684f551316c97325d716eafbd14a1615c5b00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7513767.exe

Filesize
394KB

MD5
af45258eaf63ca7e2cb7f48c36858fa6

SHA1
eb48d80785443cad0fd422473e85b0ee0dc60b9d

SHA256
b3b087f98613f348714870c757bc151f955f99417df71830c9bca1eff6462793

SHA512
c9ad0bb013cfbe7ae0099b22e834903692996d7fba77937e4e468f49572f9381aea07b5ec621ebb2b7f12339256b9295a89e08aad7ba3f8c0deffa8f22b5de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7513767.exe

Filesize
394KB

MD5
af45258eaf63ca7e2cb7f48c36858fa6

SHA1
eb48d80785443cad0fd422473e85b0ee0dc60b9d

SHA256
b3b087f98613f348714870c757bc151f955f99417df71830c9bca1eff6462793

SHA512
c9ad0bb013cfbe7ae0099b22e834903692996d7fba77937e4e468f49572f9381aea07b5ec621ebb2b7f12339256b9295a89e08aad7ba3f8c0deffa8f22b5de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5803156.exe

Filesize
365KB

MD5
d33a5c95fe857bac11505f515f31b0ec

SHA1
6219f73793e80a799a8c7eed69602c15b35b0cd6

SHA256
fb2939d621f560d475aed8e7f5e6df092f7bceda7fa79a9d355a9ab2e0c6979c

SHA512
78654322a5e991471bb4e68f95a106fde521de0b435ec3852bd42ee2ce2c566bb302b5346449ebd4abedefd583ffb3bb45e874eed7daf12ccb4bc9d3c4be340d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5803156.exe

Filesize
365KB

MD5
d33a5c95fe857bac11505f515f31b0ec

SHA1
6219f73793e80a799a8c7eed69602c15b35b0cd6

SHA256
fb2939d621f560d475aed8e7f5e6df092f7bceda7fa79a9d355a9ab2e0c6979c

SHA512
78654322a5e991471bb4e68f95a106fde521de0b435ec3852bd42ee2ce2c566bb302b5346449ebd4abedefd583ffb3bb45e874eed7daf12ccb4bc9d3c4be340d

Download Submit
memory/4864-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4864-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4864-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4864-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads