e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c

General

Target

e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe
Size

928KB
MD5

9329c59e3256393dfe43b3accced48a3
SHA1

41dbc62464a75f2c90c9480df6c9bd1b15f3063f
SHA256

e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c
SHA512

3861ababfa8ae3267257d17ba0c4930569500e71c2b92465d21f5fa3c796a5bd705713578e831d04b3f2071e3f949a6bfc5f9434ac46c11e81b1f643582e779e
SSDEEP

24576:ayL4go7iBTIItdRzqFsl4cVLFtAznXmyKC9McuP3:hH7xIIzasl7FArmi+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3684	x3554683.exe
1116	x7876641.exe
164	x2352580.exe
3264	g6763618.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3554683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7876641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2352580.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 4860	3264	g6763618.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3556	3264	WerFault.exe	73
3872	4860	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3684	836	e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe	70
PID 836 wrote to memory of 3684	836	e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe	70
PID 836 wrote to memory of 3684	836	e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe	70
PID 3684 wrote to memory of 1116	3684	x3554683.exe	71
PID 3684 wrote to memory of 1116	3684	x3554683.exe	71
PID 3684 wrote to memory of 1116	3684	x3554683.exe	71
PID 1116 wrote to memory of 164	1116	x7876641.exe	72
PID 1116 wrote to memory of 164	1116	x7876641.exe	72
PID 1116 wrote to memory of 164	1116	x7876641.exe	72
PID 164 wrote to memory of 3264	164	x2352580.exe	73
PID 164 wrote to memory of 3264	164	x2352580.exe	73
PID 164 wrote to memory of 3264	164	x2352580.exe	73
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74
PID 3264 wrote to memory of 4860	3264	g6763618.exe	74

C:\Users\Admin\AppData\Local\Temp\e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe
"C:\Users\Admin\AppData\Local\Temp\e86371e85b85a537b93ab695e320bfaf44334ee909d26fb4a002ce5a4970855c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3554683.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3554683.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7876641.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7876641.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2352580.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2352580.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6763618.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6763618.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 568
        7⤵
        Program crash
        
        PID:3872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 552
        6⤵
        Program crash
        
        PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3554683.exe

Filesize
826KB

MD5
6867c6649835a117e4d74a27206dee59

SHA1
9b0cd223f11b70a94828296c618d374d98f1833f

SHA256
0a94277adab60faf4c123fdceeedc9751aef9bd6188ea2a82076c22b354cca76

SHA512
a5c15feae5ba64acee79858e708d33144de8ee46b2879b8af22552c87e4964da17a50f39b86985f407394aa7233acd25e02ef6c415937621918e7b851df1d840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3554683.exe

Filesize
826KB

MD5
6867c6649835a117e4d74a27206dee59

SHA1
9b0cd223f11b70a94828296c618d374d98f1833f

SHA256
0a94277adab60faf4c123fdceeedc9751aef9bd6188ea2a82076c22b354cca76

SHA512
a5c15feae5ba64acee79858e708d33144de8ee46b2879b8af22552c87e4964da17a50f39b86985f407394aa7233acd25e02ef6c415937621918e7b851df1d840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7876641.exe

Filesize
566KB

MD5
3f32fc3cd3bc6f14bd5aebfc066ad176

SHA1
da52af5a274a98c5269be3ee60c090473825d94a

SHA256
1017640181276cbe0507533e99dec5ecfb9a2727994f75aa63945921a80b623d

SHA512
740c3af140914f2a01daad7f2d32972cbc2aa37ebe9fd57d7d7d7b44a329e01b3a49504e22e78b3c2f1ff05a9d8dc492e7c8b8488bd69165f42d9b65ce12e7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7876641.exe

Filesize
566KB

MD5
3f32fc3cd3bc6f14bd5aebfc066ad176

SHA1
da52af5a274a98c5269be3ee60c090473825d94a

SHA256
1017640181276cbe0507533e99dec5ecfb9a2727994f75aa63945921a80b623d

SHA512
740c3af140914f2a01daad7f2d32972cbc2aa37ebe9fd57d7d7d7b44a329e01b3a49504e22e78b3c2f1ff05a9d8dc492e7c8b8488bd69165f42d9b65ce12e7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2352580.exe

Filesize
389KB

MD5
5ebc45bef32b4bd8cb7712f404636f3f

SHA1
1d51594b481ac33fdc38882e41a52d8fb5008eec

SHA256
a31ef5d66f92625e33b9bb758db4f5df1b360a786b077fcfbb5f2b26d6abee0b

SHA512
5eaca1ff0018c1b961197a9dbe9b2abef157d55ce065b7f669d13e06bcc6cbdeddb3e8bba912dc34022ac55b1c38b810d30262c6dc234ad06be4ba6364efd01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2352580.exe

Filesize
389KB

MD5
5ebc45bef32b4bd8cb7712f404636f3f

SHA1
1d51594b481ac33fdc38882e41a52d8fb5008eec

SHA256
a31ef5d66f92625e33b9bb758db4f5df1b360a786b077fcfbb5f2b26d6abee0b

SHA512
5eaca1ff0018c1b961197a9dbe9b2abef157d55ce065b7f669d13e06bcc6cbdeddb3e8bba912dc34022ac55b1c38b810d30262c6dc234ad06be4ba6364efd01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6763618.exe

Filesize
364KB

MD5
727d6979154e7a6076324d463adefe0a

SHA1
1b215b7985d0326c30654bc80173910055d73f58

SHA256
16aaf073d9b39087c217303a38a154f548ee2a32a8d44af18d3837ca98a2d42b

SHA512
0004f6d33b6918c25a8911445f5d3bc01a7b982f4eb25e9a9c9ae1771aa68af3f0e1fe361d2b1c0fc0994731c4cf8f4b4b5f3ae1a7a28315fbff9982a9e6780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6763618.exe

Filesize
364KB

MD5
727d6979154e7a6076324d463adefe0a

SHA1
1b215b7985d0326c30654bc80173910055d73f58

SHA256
16aaf073d9b39087c217303a38a154f548ee2a32a8d44af18d3837ca98a2d42b

SHA512
0004f6d33b6918c25a8911445f5d3bc01a7b982f4eb25e9a9c9ae1771aa68af3f0e1fe361d2b1c0fc0994731c4cf8f4b4b5f3ae1a7a28315fbff9982a9e6780a

Download Submit
memory/4860-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4860-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4860-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4860-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads