e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082

General

Target

e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe
Size

929KB
MD5

782a29b15b9f15e642e646d7fcbd645c
SHA1

69a9b7fed45cab1bdaeb725dc05e41086a972dc7
SHA256

e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082
SHA512

634ed180791412e51df4136dd5441774730798c4f987eca8d63de29f0e76a8db1f16791bd6c3718f1c3d4622b969c3ea2f670a5c8f92808e4fad6d3750bb3bd7
SSDEEP

24576:QysQqJkNdRnNzTMhjGX+ZnneoXMrDSa0BKY:XTJdRnqc8eFDSBM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2200	x1507842.exe
4200	x9134059.exe
4652	x9743692.exe
4472	g5667323.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1507842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9134059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9743692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 1484	4472	g5667323.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2712	4472	WerFault.exe	73
4356	1484	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 2200	3536	e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe	70
PID 3536 wrote to memory of 2200	3536	e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe	70
PID 3536 wrote to memory of 2200	3536	e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe	70
PID 2200 wrote to memory of 4200	2200	x1507842.exe	71
PID 2200 wrote to memory of 4200	2200	x1507842.exe	71
PID 2200 wrote to memory of 4200	2200	x1507842.exe	71
PID 4200 wrote to memory of 4652	4200	x9134059.exe	72
PID 4200 wrote to memory of 4652	4200	x9134059.exe	72
PID 4200 wrote to memory of 4652	4200	x9134059.exe	72
PID 4652 wrote to memory of 4472	4652	x9743692.exe	73
PID 4652 wrote to memory of 4472	4652	x9743692.exe	73
PID 4652 wrote to memory of 4472	4652	x9743692.exe	73
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74
PID 4472 wrote to memory of 1484	4472	g5667323.exe	74

C:\Users\Admin\AppData\Local\Temp\e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe
"C:\Users\Admin\AppData\Local\Temp\e2eb0c42113301f0bbb8c9ab10b0686737d7073e58f4152354b765a76f8c1082.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1507842.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1507842.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9134059.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9134059.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9743692.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9743692.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5667323.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5667323.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 568
        7⤵
        Program crash
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 568
        6⤵
        Program crash
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1507842.exe

Filesize
827KB

MD5
56e4e879ddc217a18aee4bc54fe4cfca

SHA1
04f9e2a7180d5306f30844116cec40710702c8d9

SHA256
2d1f9528698983247bdddc6c939f1fa42eccaddd315cdb70f737bfb1a1a159ec

SHA512
c9ca8eded4d1a5314bcd5d30ab7d0dc9a435f6ab8c86fb5a95ca01a2881090580c1f929baa9ce62c13008ce7a6aecfd23bfadcefd5113dfe05586778b6895eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1507842.exe

Filesize
827KB

MD5
56e4e879ddc217a18aee4bc54fe4cfca

SHA1
04f9e2a7180d5306f30844116cec40710702c8d9

SHA256
2d1f9528698983247bdddc6c939f1fa42eccaddd315cdb70f737bfb1a1a159ec

SHA512
c9ca8eded4d1a5314bcd5d30ab7d0dc9a435f6ab8c86fb5a95ca01a2881090580c1f929baa9ce62c13008ce7a6aecfd23bfadcefd5113dfe05586778b6895eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9134059.exe

Filesize
566KB

MD5
34c7cf04972587f742524ae9f15133dc

SHA1
59977815e981a8459a0301d28cf69a8a7b98f1a4

SHA256
528158348c8a8219388cce1da8196fd1e85197fd9269f03532d9f4487fa689e2

SHA512
e9c57b013d19aa1333cc5d1091c2c25344b11db1177806a06a036fd79f1372da0071557144a587560bcf7596a5921d24765e8683e6f095d197744cc3dd4cae49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9134059.exe

Filesize
566KB

MD5
34c7cf04972587f742524ae9f15133dc

SHA1
59977815e981a8459a0301d28cf69a8a7b98f1a4

SHA256
528158348c8a8219388cce1da8196fd1e85197fd9269f03532d9f4487fa689e2

SHA512
e9c57b013d19aa1333cc5d1091c2c25344b11db1177806a06a036fd79f1372da0071557144a587560bcf7596a5921d24765e8683e6f095d197744cc3dd4cae49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9743692.exe

Filesize
389KB

MD5
8bcc5f1b1518393e1bab58daf1a2d472

SHA1
f86ffe8889c43f0dbbbce13853054fcb68d41360

SHA256
230d9e22d5bd01da75ffd7c7d94b7d3bb10e48d176e5a3f6375adc6a0a4aff7c

SHA512
2fa50361b9b67f0abab88231aab2d7e5d428fd88432033bbce45bbdb26894b1c9532042bf58db7ca25204c0e92d8ef2544076b5ccea931706fc93a2bb3098817

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9743692.exe

Filesize
389KB

MD5
8bcc5f1b1518393e1bab58daf1a2d472

SHA1
f86ffe8889c43f0dbbbce13853054fcb68d41360

SHA256
230d9e22d5bd01da75ffd7c7d94b7d3bb10e48d176e5a3f6375adc6a0a4aff7c

SHA512
2fa50361b9b67f0abab88231aab2d7e5d428fd88432033bbce45bbdb26894b1c9532042bf58db7ca25204c0e92d8ef2544076b5ccea931706fc93a2bb3098817

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5667323.exe

Filesize
364KB

MD5
01a0c9e4318da98a1b33b52338e6010e

SHA1
2811e54f7c058f6ead49bb2ccf757d334f371e9b

SHA256
505c385532acabde9cca70d4fa8cc9e48b4cf3643ba42c6daa2d12acf270d643

SHA512
1a67d20319f2cc5ae114388967794cb12f7a7dfeb64379378fc0370882021db96b95898c3890b3b749f4a245d05878b600e45132de4f81d1f44b7088fc27e730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5667323.exe

Filesize
364KB

MD5
01a0c9e4318da98a1b33b52338e6010e

SHA1
2811e54f7c058f6ead49bb2ccf757d334f371e9b

SHA256
505c385532acabde9cca70d4fa8cc9e48b4cf3643ba42c6daa2d12acf270d643

SHA512
1a67d20319f2cc5ae114388967794cb12f7a7dfeb64379378fc0370882021db96b95898c3890b3b749f4a245d05878b600e45132de4f81d1f44b7088fc27e730

Download Submit
memory/1484-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1484-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1484-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1484-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads