2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7

General

Target

2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe
Size

928KB
MD5

6e673ae00e69a3eeed8c2c6626217230
SHA1

e16d04dedd4059caa43748fe3657767462b03088
SHA256

2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7
SHA512

f33da6f2274840be105da7e00e49b4f3cc73a106ab54d2db4219be3b832f7cf06ab78f27a6860338bfa3666fd22581e9d8c66914c3c93283ad869885fbf20e20
SSDEEP

12288:DMrqy90R87x+hnbg1dXirt9VzigjZ94hAB5nX9VYdnQknBFwbs8Q8b5LPax5rhJn:9yR78aiNvNMQkHP8Narj+SSAQvowIb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4444	x4081144.exe
1848	x8778017.exe
3756	x0669185.exe
432	g0504915.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8778017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0669185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4081144.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 548	432	g0504915.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
192	432	WerFault.exe	72
5072	548	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4444	2752	2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe	69
PID 2752 wrote to memory of 4444	2752	2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe	69
PID 2752 wrote to memory of 4444	2752	2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe	69
PID 4444 wrote to memory of 1848	4444	x4081144.exe	70
PID 4444 wrote to memory of 1848	4444	x4081144.exe	70
PID 4444 wrote to memory of 1848	4444	x4081144.exe	70
PID 1848 wrote to memory of 3756	1848	x8778017.exe	71
PID 1848 wrote to memory of 3756	1848	x8778017.exe	71
PID 1848 wrote to memory of 3756	1848	x8778017.exe	71
PID 3756 wrote to memory of 432	3756	x0669185.exe	72
PID 3756 wrote to memory of 432	3756	x0669185.exe	72
PID 3756 wrote to memory of 432	3756	x0669185.exe	72
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74
PID 432 wrote to memory of 548	432	g0504915.exe	74

C:\Users\Admin\AppData\Local\Temp\2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe
"C:\Users\Admin\AppData\Local\Temp\2480d7f032590fa543d88425207fc62153bad34270c83ce3cc416062c83dcad7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4081144.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4081144.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8778017.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8778017.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0669185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0669185.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0504915.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0504915.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 568
        7⤵
        Program crash
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 144
        6⤵
        Program crash
        
        PID:192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4081144.exe

Filesize
826KB

MD5
5b41e5fa9a87a77106d6bbfa7bc3c1cd

SHA1
12f3ca85913a826fc2107f1664ed3a42432e9ea9

SHA256
c3564928ae3f035778a173a10db25378258c27e5d9153129815d8486ff3ebd6c

SHA512
9c7999ef33e2530406d2d87c5c88d8042dfae8942e83c71b53a0b2a46cf3ce59a2043b752c4a6a606351be857c9d8989d63e4e44964167646e76d2ea2cc7244f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4081144.exe

Filesize
826KB

MD5
5b41e5fa9a87a77106d6bbfa7bc3c1cd

SHA1
12f3ca85913a826fc2107f1664ed3a42432e9ea9

SHA256
c3564928ae3f035778a173a10db25378258c27e5d9153129815d8486ff3ebd6c

SHA512
9c7999ef33e2530406d2d87c5c88d8042dfae8942e83c71b53a0b2a46cf3ce59a2043b752c4a6a606351be857c9d8989d63e4e44964167646e76d2ea2cc7244f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8778017.exe

Filesize
556KB

MD5
ebf6af675d4dd32b148fcb8a5458d220

SHA1
bb1d50a92cc561508be5f80ad2d11ed555e05455

SHA256
cee1231370da13d62f47114fc0b2bb0c3d806158e0ca5fb482ca904b622dcc07

SHA512
30833a7978216c1116a4f35bef4444a9c56d32c14c33e6e45227f1c522dcdb7fb588e6aa5528dc805758558a417b1dd4c99b9bdf729122fc22d2e027a53bec37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8778017.exe

Filesize
556KB

MD5
ebf6af675d4dd32b148fcb8a5458d220

SHA1
bb1d50a92cc561508be5f80ad2d11ed555e05455

SHA256
cee1231370da13d62f47114fc0b2bb0c3d806158e0ca5fb482ca904b622dcc07

SHA512
30833a7978216c1116a4f35bef4444a9c56d32c14c33e6e45227f1c522dcdb7fb588e6aa5528dc805758558a417b1dd4c99b9bdf729122fc22d2e027a53bec37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0669185.exe

Filesize
390KB

MD5
34fa8edc698d31b0d4af17fb973c1d5d

SHA1
50cc2b045085a2560319e6c681f3fe919b484e83

SHA256
ce54593df9f1113a6273409d703b8e52dad2154b9b68e788d76f6968d7f09251

SHA512
aea8ba8e60e83aef2a38543650913dd0252c5786ab760f37d146c0cab81e4c4870f9d37f20b85fc352d3f07f813a7e7eb382c8c90115d1c9f15486e2233882ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0669185.exe

Filesize
390KB

MD5
34fa8edc698d31b0d4af17fb973c1d5d

SHA1
50cc2b045085a2560319e6c681f3fe919b484e83

SHA256
ce54593df9f1113a6273409d703b8e52dad2154b9b68e788d76f6968d7f09251

SHA512
aea8ba8e60e83aef2a38543650913dd0252c5786ab760f37d146c0cab81e4c4870f9d37f20b85fc352d3f07f813a7e7eb382c8c90115d1c9f15486e2233882ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0504915.exe

Filesize
356KB

MD5
1424df87715922950742d9f927a2eb1c

SHA1
a0f671e92f1567f563a8db43db7a49f9aa0f6cac

SHA256
828ab6062b1330bf2c1009d0c25317dc7c2f083314acb97c4dc41529119152ed

SHA512
739b9aa54d0617403dbb2e3592319bab8798eea933f2823a60038ebca102f4f4c1a91a43eca6dc09f346d1a2580c394753810883237cad81c0a7c60311827e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0504915.exe

Filesize
356KB

MD5
1424df87715922950742d9f927a2eb1c

SHA1
a0f671e92f1567f563a8db43db7a49f9aa0f6cac

SHA256
828ab6062b1330bf2c1009d0c25317dc7c2f083314acb97c4dc41529119152ed

SHA512
739b9aa54d0617403dbb2e3592319bab8798eea933f2823a60038ebca102f4f4c1a91a43eca6dc09f346d1a2580c394753810883237cad81c0a7c60311827e88

Download Submit
memory/548-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/548-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/548-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/548-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads