066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13

General

Target

066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe
Size

928KB
MD5

cae7cccef0bc1a85e7d8e395036ba3f9
SHA1

a2d006e719c3a324ec9e003d95e2daa6d4ecd510
SHA256

066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13
SHA512

b44bcd174de8f44694c5a3297bef4d904741501edad63a73b0578f618610d592c2a3f798479ee97309a890666f7210f0536b8d887706899b75344891731fdf6a
SSDEEP

12288:ZMrSy90cCsxoREsO4uWXnXN3tKxJ6lzXb386qcc+CX8Rabn+VApHd0nHqsY:vy1xZXiXBtgKz28EbnJpHdCqsY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4936	x7963460.exe
1220	x4713418.exe
1088	x8752474.exe
3936	g9895303.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7963460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4713418.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8752474.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 336	3936	g9895303.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4540	336	WerFault.exe	76
4700	3936	WerFault.exe	73

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4936	2980	066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe	70
PID 2980 wrote to memory of 4936	2980	066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe	70
PID 2980 wrote to memory of 4936	2980	066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe	70
PID 4936 wrote to memory of 1220	4936	x7963460.exe	71
PID 4936 wrote to memory of 1220	4936	x7963460.exe	71
PID 4936 wrote to memory of 1220	4936	x7963460.exe	71
PID 1220 wrote to memory of 1088	1220	x4713418.exe	72
PID 1220 wrote to memory of 1088	1220	x4713418.exe	72
PID 1220 wrote to memory of 1088	1220	x4713418.exe	72
PID 1088 wrote to memory of 3936	1088	x8752474.exe	73
PID 1088 wrote to memory of 3936	1088	x8752474.exe	73
PID 1088 wrote to memory of 3936	1088	x8752474.exe	73
PID 3936 wrote to memory of 2136	3936	g9895303.exe	75
PID 3936 wrote to memory of 2136	3936	g9895303.exe	75
PID 3936 wrote to memory of 2136	3936	g9895303.exe	75
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76
PID 3936 wrote to memory of 336	3936	g9895303.exe	76

C:\Users\Admin\AppData\Local\Temp\066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe
"C:\Users\Admin\AppData\Local\Temp\066ddb1f89d7cc9a116d3efc70ea152b2380ad1dfd89903ffaa12a4c76457f13.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7963460.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7963460.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4713418.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4713418.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8752474.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8752474.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9895303.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9895303.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2136
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 568
        7⤵
        Program crash
        
        PID:4540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 144
        6⤵
        Program crash
        
        PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7963460.exe

Filesize
827KB

MD5
96370b99f43c99929fcb468cedfe1f77

SHA1
9c6651199148385e96aaea19a06dbbd0b8f5baa2

SHA256
d321b55e2028825c29eed272a980acd8c751d1da59e433f89d8dc4460d8b8dc5

SHA512
7be7cbc5c420e8f1e81d43493acc764af48cd033be6947da3ff2949955bb2a9e34fddd1e57cc7683c2c612b097c1c7ed4ba951b337e31ddf256f57879f6634a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7963460.exe

Filesize
827KB

MD5
96370b99f43c99929fcb468cedfe1f77

SHA1
9c6651199148385e96aaea19a06dbbd0b8f5baa2

SHA256
d321b55e2028825c29eed272a980acd8c751d1da59e433f89d8dc4460d8b8dc5

SHA512
7be7cbc5c420e8f1e81d43493acc764af48cd033be6947da3ff2949955bb2a9e34fddd1e57cc7683c2c612b097c1c7ed4ba951b337e31ddf256f57879f6634a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4713418.exe

Filesize
556KB

MD5
b47e841a7321f356d34dea8f48d3d6df

SHA1
5ff9e9ea8d75eac24d32b3725748201867450e74

SHA256
cd9737b92b3d2a46e47ebbe78f8f4263d8a618598c2bc3e0055b0dbfec53aad7

SHA512
5878adb75527da597dc950f5cdc3f30e453e927d9bec5fbe0cd3fb21f1f96c74f9b9fb9aabb6ecc860aa3d0fa359b4b8bf0b43648613831afb7926f43031d376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4713418.exe

Filesize
556KB

MD5
b47e841a7321f356d34dea8f48d3d6df

SHA1
5ff9e9ea8d75eac24d32b3725748201867450e74

SHA256
cd9737b92b3d2a46e47ebbe78f8f4263d8a618598c2bc3e0055b0dbfec53aad7

SHA512
5878adb75527da597dc950f5cdc3f30e453e927d9bec5fbe0cd3fb21f1f96c74f9b9fb9aabb6ecc860aa3d0fa359b4b8bf0b43648613831afb7926f43031d376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8752474.exe

Filesize
390KB

MD5
2d58eac6e6541ee367cadd960fd083a9

SHA1
435aa4f7069d02a0c7c349cc837de29a2a0cfbc0

SHA256
d60a6b73cf831c0081082322861c42e00f0064de9c91a37dd0509cb59c34f5bc

SHA512
178e978698b63fea0dcd4a50228c385ad7037739c87ec9697b240b8dc4c21a13a45c70190b7aa7548c24e7066ebb3e32359c6380ac8ee937f62885144d1c36de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8752474.exe

Filesize
390KB

MD5
2d58eac6e6541ee367cadd960fd083a9

SHA1
435aa4f7069d02a0c7c349cc837de29a2a0cfbc0

SHA256
d60a6b73cf831c0081082322861c42e00f0064de9c91a37dd0509cb59c34f5bc

SHA512
178e978698b63fea0dcd4a50228c385ad7037739c87ec9697b240b8dc4c21a13a45c70190b7aa7548c24e7066ebb3e32359c6380ac8ee937f62885144d1c36de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9895303.exe

Filesize
356KB

MD5
7b0cf2cb8b570dd705713193386ae38f

SHA1
c16d8a260145c1b26ae6f308e78ab6189111ffb0

SHA256
5794b6cecd533b8fc6e26ccb06ae72731ad0667f7e4ad56531e796ab453f28d6

SHA512
aac36bcadf12da093485d52300dd9514f696a8616f2e359b91185394192a2a19c89ad02b6cac3704617f8d186ffb71e9e6561926e2e0e52844057d506aa98071

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9895303.exe

Filesize
356KB

MD5
7b0cf2cb8b570dd705713193386ae38f

SHA1
c16d8a260145c1b26ae6f308e78ab6189111ffb0

SHA256
5794b6cecd533b8fc6e26ccb06ae72731ad0667f7e4ad56531e796ab453f28d6

SHA512
aac36bcadf12da093485d52300dd9514f696a8616f2e359b91185394192a2a19c89ad02b6cac3704617f8d186ffb71e9e6561926e2e0e52844057d506aa98071

Download Submit
memory/336-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/336-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/336-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/336-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads