7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535

General

Target

7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe
Size

928KB
MD5

bbf349f1ac6b14881515896d5819d0a7
SHA1

2be4202c77bab94925a309fa1f7ecd997afc21e5
SHA256

7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535
SHA512

a2017a6877794d5c72b74a0ab2ec6c368ae5c9d60155818d2c2091b65f9107ea75543b7b2ec862b60062d135e113c5240aa4cc9d1f2877d3689a84107babfbf7
SSDEEP

24576:tyXFvfHZwiTP7jgQvP+G0MYwePrc1O8ogxOWFEvxQmo:IXFvfHZ/Djg6H0BrZLZWOim

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5064	x5320666.exe
2528	x2791908.exe
1168	x4909937.exe
4244	g7753941.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5320666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2791908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4909937.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 2572	4244	g7753941.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3368	4244	WerFault.exe	73
3720	2572	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 5064	3928	7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe	70
PID 3928 wrote to memory of 5064	3928	7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe	70
PID 3928 wrote to memory of 5064	3928	7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe	70
PID 5064 wrote to memory of 2528	5064	x5320666.exe	71
PID 5064 wrote to memory of 2528	5064	x5320666.exe	71
PID 5064 wrote to memory of 2528	5064	x5320666.exe	71
PID 2528 wrote to memory of 1168	2528	x2791908.exe	72
PID 2528 wrote to memory of 1168	2528	x2791908.exe	72
PID 2528 wrote to memory of 1168	2528	x2791908.exe	72
PID 1168 wrote to memory of 4244	1168	x4909937.exe	73
PID 1168 wrote to memory of 4244	1168	x4909937.exe	73
PID 1168 wrote to memory of 4244	1168	x4909937.exe	73
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75
PID 4244 wrote to memory of 2572	4244	g7753941.exe	75

C:\Users\Admin\AppData\Local\Temp\7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe
"C:\Users\Admin\AppData\Local\Temp\7205402ff64bc3f67000f198c5193c01e44823724bbe6db455601d94f490a535.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320666.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320666.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2791908.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2791908.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4909937.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4909937.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7753941.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7753941.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 568
        7⤵
        Program crash
        
        PID:3720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 572
        6⤵
        Program crash
        
        PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320666.exe

Filesize
826KB

MD5
8f90d505f03573b501046a5ba623c757

SHA1
8974ca50342fcbd203327f433fb05578baf54296

SHA256
87d892526699bd917d535e58347463abb991544a32afb8e89a5146c05b1030ea

SHA512
885da02e40d5afc07463f257d54800ef21755176139751e336e871c5f6665b173708c43964e876eb7b4c8c676cfa2739ca90737eb0da23f048a37a0ee0a99be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320666.exe

Filesize
826KB

MD5
8f90d505f03573b501046a5ba623c757

SHA1
8974ca50342fcbd203327f433fb05578baf54296

SHA256
87d892526699bd917d535e58347463abb991544a32afb8e89a5146c05b1030ea

SHA512
885da02e40d5afc07463f257d54800ef21755176139751e336e871c5f6665b173708c43964e876eb7b4c8c676cfa2739ca90737eb0da23f048a37a0ee0a99be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2791908.exe

Filesize
555KB

MD5
e1e4633918666ea3f458fee5ff31f31e

SHA1
88036734407396e579a9703578acfb0cd9b15a09

SHA256
ad056b57f0e633c2ecf6d14cff40ed2d366b1dea44e29fbd7a32462c63afb82b

SHA512
2890a7b3fe213f25d2f9484853c781d92febf74e1d98ff57cac2022c14d3976efac5dc54d0ac9b7b731400addfe86412e57689b10a91eff6ddfaf98cfa2027ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2791908.exe

Filesize
555KB

MD5
e1e4633918666ea3f458fee5ff31f31e

SHA1
88036734407396e579a9703578acfb0cd9b15a09

SHA256
ad056b57f0e633c2ecf6d14cff40ed2d366b1dea44e29fbd7a32462c63afb82b

SHA512
2890a7b3fe213f25d2f9484853c781d92febf74e1d98ff57cac2022c14d3976efac5dc54d0ac9b7b731400addfe86412e57689b10a91eff6ddfaf98cfa2027ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4909937.exe

Filesize
389KB

MD5
57ef24e45e581836c2babf4b0928923e

SHA1
189ee66924e37db14423034822216c4ec675c02a

SHA256
f675e978f0414ffc3cb504c8dab30c7bb0fdba884cbc03b12b55ab017239a50f

SHA512
8e027e22a34270105b95a94849186b53d4ee2feff308110144304c9f35217fcd9f30dbd40570af515e70062d7277502f571398f524c2961a0d6837f08661098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4909937.exe

Filesize
389KB

MD5
57ef24e45e581836c2babf4b0928923e

SHA1
189ee66924e37db14423034822216c4ec675c02a

SHA256
f675e978f0414ffc3cb504c8dab30c7bb0fdba884cbc03b12b55ab017239a50f

SHA512
8e027e22a34270105b95a94849186b53d4ee2feff308110144304c9f35217fcd9f30dbd40570af515e70062d7277502f571398f524c2961a0d6837f08661098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7753941.exe

Filesize
356KB

MD5
bab1b99956076a291c8ac5eb5af9c117

SHA1
13c92d4af43b0d14a5c518d5ad1c15ed61d58d03

SHA256
e9f2fad21cb9b9a821ecf98c7d7653a3ef7d7b065dd3142de98c342a8f9c13fe

SHA512
147749b33255b3a48061723a7272d00e9ab83bd89cf49d42bffd962bd2b3b256e2a133e83306e0ea7a6c32dc01c2245143d21df4f3e3314e0d037cc9d86feaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7753941.exe

Filesize
356KB

MD5
bab1b99956076a291c8ac5eb5af9c117

SHA1
13c92d4af43b0d14a5c518d5ad1c15ed61d58d03

SHA256
e9f2fad21cb9b9a821ecf98c7d7653a3ef7d7b065dd3142de98c342a8f9c13fe

SHA512
147749b33255b3a48061723a7272d00e9ab83bd89cf49d42bffd962bd2b3b256e2a133e83306e0ea7a6c32dc01c2245143d21df4f3e3314e0d037cc9d86feaea

Download Submit
memory/2572-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2572-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2572-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2572-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads