Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
23/09/2023, 19:34
Static task
static1
Behavioral task
behavioral1
Sample
fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe
-
Size
1.3MB
-
MD5
d6f1ffa454b8ba8e77176d147b0df30b
-
SHA1
adadd0cb096367d7fc426590e3af616a9110b003
-
SHA256
fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31
-
SHA512
d10338b6cafbea630cd372da0df31a7926d746bb184467d847c351ebc54984838cd90a028417607e00fa0542d7e788a3a39d1d22116f6f5651dcd0b10536853f
-
SSDEEP
24576:gyTwwbwuxshAQkIlYmCi+qPojNMKP9rxvk5Gz4SR5OCrs05hcxDViUb2H:nTwwbwu6nf/t6NMKP9rlk5GzAa5cxxit
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1696 v2928939.exe 1228 v9499496.exe 2744 v3156930.exe 3060 a9258703.exe -
Loads dropped DLL 13 IoCs
pid Process 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 1696 v2928939.exe 1696 v2928939.exe 1228 v9499496.exe 1228 v9499496.exe 2744 v3156930.exe 2744 v3156930.exe 2744 v3156930.exe 3060 a9258703.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2928939.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9499496.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3156930.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3060 set thread context of 2660 3060 a9258703.exe 33 -
Program crash 2 IoCs
pid pid_target Process procid_target 3064 3060 WerFault.exe 31 2748 2660 WerFault.exe 33 -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 2068 wrote to memory of 1696 2068 fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe 28 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1696 wrote to memory of 1228 1696 v2928939.exe 29 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 1228 wrote to memory of 2744 1228 v9499496.exe 30 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 2744 wrote to memory of 3060 2744 v3156930.exe 31 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 2660 3060 a9258703.exe 33 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 3060 wrote to memory of 3064 3060 a9258703.exe 34 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35 PID 2660 wrote to memory of 2748 2660 AppLaunch.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe"C:\Users\Admin\AppData\Local\Temp\fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2928939.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2928939.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9499496.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9499496.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3156930.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3156930.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9258703.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9258703.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 2687⤵
- Program crash
PID:2748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 2686⤵
- Loads dropped DLL
- Program crash
PID:3064
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5307d45a98a7bc2138fa88fe31ae297a9
SHA19bc165a060c1e1b689b7b739a9de15f042b95959
SHA256f55f899d92a0c9f42750acbb7905c79433df288ac87103bd99db82e6fa9db976
SHA51246d8a20def46c93c4e2da913597936c816d0835e469a7faa79587fadfb5a284a5b86e661d36a6b943a6a03cb275ec67217ae09914af2d9dd178ff93b587269f7
-
Filesize
1.2MB
MD5307d45a98a7bc2138fa88fe31ae297a9
SHA19bc165a060c1e1b689b7b739a9de15f042b95959
SHA256f55f899d92a0c9f42750acbb7905c79433df288ac87103bd99db82e6fa9db976
SHA51246d8a20def46c93c4e2da913597936c816d0835e469a7faa79587fadfb5a284a5b86e661d36a6b943a6a03cb275ec67217ae09914af2d9dd178ff93b587269f7
-
Filesize
925KB
MD5b0112f6fe3a8e7ff2cb2651b38a9b6d7
SHA1ae492623fe09ec56edad07a922a591c23c570f64
SHA2564d6613b12aa57cedeb2cd76df04bf86f3e4db4ba314fb9a180431444c07a95a8
SHA51298e9ff3548d14fb3f67794b02ee0368e7c6f7ad0cf3817d8219f985507054516b07e7fc986021f35007e3f8cbb7b9f5b2651c50ee4829ac5ad934865bff0913f
-
Filesize
925KB
MD5b0112f6fe3a8e7ff2cb2651b38a9b6d7
SHA1ae492623fe09ec56edad07a922a591c23c570f64
SHA2564d6613b12aa57cedeb2cd76df04bf86f3e4db4ba314fb9a180431444c07a95a8
SHA51298e9ff3548d14fb3f67794b02ee0368e7c6f7ad0cf3817d8219f985507054516b07e7fc986021f35007e3f8cbb7b9f5b2651c50ee4829ac5ad934865bff0913f
-
Filesize
533KB
MD50ff6eaed320d32cb6ae6d2d0fceec445
SHA1eb23ce88dddee29662ce50fe9e2db72dd0c377c5
SHA2569497409180a850e507aaa4e6cb97c410997e570ab30f5e373036dcceed4e9ade
SHA51254661e2b42cc9c0722ac221408cfa718ac009cd0cadd37a5e3468ec918f5b7597435280f2fead4a99b523da11571398c07c1012db8fabb3069e73b92668dd6bb
-
Filesize
533KB
MD50ff6eaed320d32cb6ae6d2d0fceec445
SHA1eb23ce88dddee29662ce50fe9e2db72dd0c377c5
SHA2569497409180a850e507aaa4e6cb97c410997e570ab30f5e373036dcceed4e9ade
SHA51254661e2b42cc9c0722ac221408cfa718ac009cd0cadd37a5e3468ec918f5b7597435280f2fead4a99b523da11571398c07c1012db8fabb3069e73b92668dd6bb
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.2MB
MD5307d45a98a7bc2138fa88fe31ae297a9
SHA19bc165a060c1e1b689b7b739a9de15f042b95959
SHA256f55f899d92a0c9f42750acbb7905c79433df288ac87103bd99db82e6fa9db976
SHA51246d8a20def46c93c4e2da913597936c816d0835e469a7faa79587fadfb5a284a5b86e661d36a6b943a6a03cb275ec67217ae09914af2d9dd178ff93b587269f7
-
Filesize
1.2MB
MD5307d45a98a7bc2138fa88fe31ae297a9
SHA19bc165a060c1e1b689b7b739a9de15f042b95959
SHA256f55f899d92a0c9f42750acbb7905c79433df288ac87103bd99db82e6fa9db976
SHA51246d8a20def46c93c4e2da913597936c816d0835e469a7faa79587fadfb5a284a5b86e661d36a6b943a6a03cb275ec67217ae09914af2d9dd178ff93b587269f7
-
Filesize
925KB
MD5b0112f6fe3a8e7ff2cb2651b38a9b6d7
SHA1ae492623fe09ec56edad07a922a591c23c570f64
SHA2564d6613b12aa57cedeb2cd76df04bf86f3e4db4ba314fb9a180431444c07a95a8
SHA51298e9ff3548d14fb3f67794b02ee0368e7c6f7ad0cf3817d8219f985507054516b07e7fc986021f35007e3f8cbb7b9f5b2651c50ee4829ac5ad934865bff0913f
-
Filesize
925KB
MD5b0112f6fe3a8e7ff2cb2651b38a9b6d7
SHA1ae492623fe09ec56edad07a922a591c23c570f64
SHA2564d6613b12aa57cedeb2cd76df04bf86f3e4db4ba314fb9a180431444c07a95a8
SHA51298e9ff3548d14fb3f67794b02ee0368e7c6f7ad0cf3817d8219f985507054516b07e7fc986021f35007e3f8cbb7b9f5b2651c50ee4829ac5ad934865bff0913f
-
Filesize
533KB
MD50ff6eaed320d32cb6ae6d2d0fceec445
SHA1eb23ce88dddee29662ce50fe9e2db72dd0c377c5
SHA2569497409180a850e507aaa4e6cb97c410997e570ab30f5e373036dcceed4e9ade
SHA51254661e2b42cc9c0722ac221408cfa718ac009cd0cadd37a5e3468ec918f5b7597435280f2fead4a99b523da11571398c07c1012db8fabb3069e73b92668dd6bb
-
Filesize
533KB
MD50ff6eaed320d32cb6ae6d2d0fceec445
SHA1eb23ce88dddee29662ce50fe9e2db72dd0c377c5
SHA2569497409180a850e507aaa4e6cb97c410997e570ab30f5e373036dcceed4e9ade
SHA51254661e2b42cc9c0722ac221408cfa718ac009cd0cadd37a5e3468ec918f5b7597435280f2fead4a99b523da11571398c07c1012db8fabb3069e73b92668dd6bb
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835
-
Filesize
1.0MB
MD5b41b4f3feb628a4d634413c9b36590d4
SHA11bfff900299b6f304b0645a830ca3b672675ae23
SHA2560ce7631ec0405ca285e8ee8c6363a9726f01ce991e5593592f6fb3a473c2046d
SHA512e0b8a678b55c312dfb85ed5764a134340573615e105f6248cc10a464d8413f80d780e57cb3c34908e5f884794e083bf5172d5bf45503f705e1871951595c8835