86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517

Analysis

max time kernel
65s
max time network
70s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
30/09/2023, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe
Size

1.0MB
MD5

b9825f66f7dbe62e76a7ee86d8f454ff
SHA1

ffc21de8e790bc38d05c90f52faeceab7e521f16
SHA256

86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517
SHA512

71b9ac4af7457a659fa214fec2f84b518058b98b6fd90c3f8c49b87bd923da9356dbe77f05d17c3c3cb7b82a10b2c442e65e00fad61ea85ed972c31336b5054f
SSDEEP

24576:MyES9lfEoWWLq4TjOPb0Oh4e6JMBMPbNnt3E:7Z9Gyq5j0OWe6FPJt3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4352	x0468942.exe
3536	x1435908.exe
1512	x7896986.exe
216	x5407934.exe
2172	g1903180.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0468942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1435908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7896986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x5407934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 4500	2172	g1903180.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3372	2172	WerFault.exe	72
1348	4500	WerFault.exe	74

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4352	1792	86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe	68
PID 1792 wrote to memory of 4352	1792	86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe	68
PID 1792 wrote to memory of 4352	1792	86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe	68
PID 4352 wrote to memory of 3536	4352	x0468942.exe	69
PID 4352 wrote to memory of 3536	4352	x0468942.exe	69
PID 4352 wrote to memory of 3536	4352	x0468942.exe	69
PID 3536 wrote to memory of 1512	3536	x1435908.exe	70
PID 3536 wrote to memory of 1512	3536	x1435908.exe	70
PID 3536 wrote to memory of 1512	3536	x1435908.exe	70
PID 1512 wrote to memory of 216	1512	x7896986.exe	71
PID 1512 wrote to memory of 216	1512	x7896986.exe	71
PID 1512 wrote to memory of 216	1512	x7896986.exe	71
PID 216 wrote to memory of 2172	216	x5407934.exe	72
PID 216 wrote to memory of 2172	216	x5407934.exe	72
PID 216 wrote to memory of 2172	216	x5407934.exe	72
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74
PID 2172 wrote to memory of 4500	2172	g1903180.exe	74

C:\Users\Admin\AppData\Local\Temp\86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe
"C:\Users\Admin\AppData\Local\Temp\86b69a843dbb63e77914f07b7502c45c60391596f4f8754275f3faf516011517.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0468942.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0468942.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1435908.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1435908.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7896986.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7896986.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5407934.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5407934.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1903180.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1903180.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 568
        8⤵
        Program crash
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 572
        7⤵
        Program crash
        
        PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0468942.exe

Filesize
930KB

MD5
2af3efd0deb60be09c1b5ae9ea2a58e7

SHA1
dfc4cdcf33dffe6645d035025c585286197ea749

SHA256
e26dbc1d536b4bf8f4c3cdaf71186822be951c51c252c26f00d7c782994cd736

SHA512
3fdb00b63857a846d3cff7eee2ad39ba67570402eb161b14d7e54dc152a844286eaf37abd5ed882c8524c7f59d23a3923f5251d09721a74ba2a40f8fbf9e4bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0468942.exe

Filesize
930KB

MD5
2af3efd0deb60be09c1b5ae9ea2a58e7

SHA1
dfc4cdcf33dffe6645d035025c585286197ea749

SHA256
e26dbc1d536b4bf8f4c3cdaf71186822be951c51c252c26f00d7c782994cd736

SHA512
3fdb00b63857a846d3cff7eee2ad39ba67570402eb161b14d7e54dc152a844286eaf37abd5ed882c8524c7f59d23a3923f5251d09721a74ba2a40f8fbf9e4bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1435908.exe

Filesize
747KB

MD5
febe07819e5467131b3d78b2207af472

SHA1
7defcc2282de7c17c4f268af2dec5f6312d6116c

SHA256
6a2c86d1ccd9bad8f1c7aeb17f0f7a4b48d2a50ce062deecf8c441cbc3a47831

SHA512
c7b466ac6b9f620f82ae363c4a5c7d794b38428ec6d40d6465aacc1e8858ef0fccc9a580754cf32a2435184552e489d148cf74a531e6de8699654073566c143c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1435908.exe

Filesize
747KB

MD5
febe07819e5467131b3d78b2207af472

SHA1
7defcc2282de7c17c4f268af2dec5f6312d6116c

SHA256
6a2c86d1ccd9bad8f1c7aeb17f0f7a4b48d2a50ce062deecf8c441cbc3a47831

SHA512
c7b466ac6b9f620f82ae363c4a5c7d794b38428ec6d40d6465aacc1e8858ef0fccc9a580754cf32a2435184552e489d148cf74a531e6de8699654073566c143c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7896986.exe

Filesize
516KB

MD5
6fc281b1904953573ebacdbfe524e0b2

SHA1
9a7a083ef8a597248deb246015fba13f6d2c609e

SHA256
ad327eb0fa59970e60163199a09ea932c473def51df22da73847c9709de94a46

SHA512
82c5724453cd59f45f8908d0738bc1496eb4028857238a0c947cc47341106d4b7f8497cfeb56f5641dc99cac3ad2b002476c96192f8f8d746648e86d16dc3b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7896986.exe

Filesize
516KB

MD5
6fc281b1904953573ebacdbfe524e0b2

SHA1
9a7a083ef8a597248deb246015fba13f6d2c609e

SHA256
ad327eb0fa59970e60163199a09ea932c473def51df22da73847c9709de94a46

SHA512
82c5724453cd59f45f8908d0738bc1496eb4028857238a0c947cc47341106d4b7f8497cfeb56f5641dc99cac3ad2b002476c96192f8f8d746648e86d16dc3b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5407934.exe

Filesize
350KB

MD5
dffdcc63fe3e98f05d937cf289250ce5

SHA1
23e14a68141ec0ffd753e20bf2c1c08034e5e186

SHA256
da386d812bfeeb00daf12f0bcb0b656ac2988e80b561e47344d8a2e2d68e1c13

SHA512
379f25486fee5b36b6c57549d978e062551dfd6f17f01d2637d4a655bf27d447184bb0052c140f99bc17a7633fa32254ee64e9ec1e3b9f80bef96b2d5f06acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5407934.exe

Filesize
350KB

MD5
dffdcc63fe3e98f05d937cf289250ce5

SHA1
23e14a68141ec0ffd753e20bf2c1c08034e5e186

SHA256
da386d812bfeeb00daf12f0bcb0b656ac2988e80b561e47344d8a2e2d68e1c13

SHA512
379f25486fee5b36b6c57549d978e062551dfd6f17f01d2637d4a655bf27d447184bb0052c140f99bc17a7633fa32254ee64e9ec1e3b9f80bef96b2d5f06acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1903180.exe

Filesize
276KB

MD5
7250308cd32e67af2f727e0b8a247f06

SHA1
4bb705a2d5aa8f5c617560476cca9c9bbc1f03b2

SHA256
1942bef2a88572d17aa272d96dd21431fa3c36cd70ff97c93b8afbda83960f50

SHA512
10c87c326884a11a657a5ab85153bd52ec311e880b2867f96d2934a4c5da0cbaee279f2ca24d6c6c328f29f26fbd59edc6aefc782b0834f1d5d1d59b47b5989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1903180.exe

Filesize
276KB

MD5
7250308cd32e67af2f727e0b8a247f06

SHA1
4bb705a2d5aa8f5c617560476cca9c9bbc1f03b2

SHA256
1942bef2a88572d17aa272d96dd21431fa3c36cd70ff97c93b8afbda83960f50

SHA512
10c87c326884a11a657a5ab85153bd52ec311e880b2867f96d2934a4c5da0cbaee279f2ca24d6c6c328f29f26fbd59edc6aefc782b0834f1d5d1d59b47b5989b

Download Submit
memory/4500-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4500-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4500-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4500-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads