fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd

Analysis

max time kernel
128s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01-10-2023 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe
Size

1.1MB
MD5

0cd5094b782990850b71ee120b96bfd2
SHA1

d6430bf7925f07ba669569dbf9ac13314b236a1f
SHA256

fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd
SHA512

1e31de8404341acdd6d67b5bcd36c8246d7af34fcf8ce1edc3fb503efe6adfadf5a068c4d29cdb22f0de55335c1caf3fad871ed3a4aaa08ffed02a26ccc59a13
SSDEEP

24576:qyUy49S1oM2Cej7Cd92fuippnlKSNW1oB2xtGqQCAHJ:xUysFM2nHE96uisSw+mtL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4416	x6198725.exe
628	x1888340.exe
2520	x3938051.exe
1848	x4450318.exe
4712	g4016134.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6198725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1888340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3938051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x4450318.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4712 set thread context of 2992	4712	g4016134.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4568	4712	WerFault.exe	73
164	2992	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4416	4204	fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe	69
PID 4204 wrote to memory of 4416	4204	fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe	69
PID 4204 wrote to memory of 4416	4204	fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe	69
PID 4416 wrote to memory of 628	4416	x6198725.exe	70
PID 4416 wrote to memory of 628	4416	x6198725.exe	70
PID 4416 wrote to memory of 628	4416	x6198725.exe	70
PID 628 wrote to memory of 2520	628	x1888340.exe	71
PID 628 wrote to memory of 2520	628	x1888340.exe	71
PID 628 wrote to memory of 2520	628	x1888340.exe	71
PID 2520 wrote to memory of 1848	2520	x3938051.exe	72
PID 2520 wrote to memory of 1848	2520	x3938051.exe	72
PID 2520 wrote to memory of 1848	2520	x3938051.exe	72
PID 1848 wrote to memory of 4712	1848	x4450318.exe	73
PID 1848 wrote to memory of 4712	1848	x4450318.exe	73
PID 1848 wrote to memory of 4712	1848	x4450318.exe	73
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75
PID 4712 wrote to memory of 2992	4712	g4016134.exe	75

C:\Users\Admin\AppData\Local\Temp\fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe
"C:\Users\Admin\AppData\Local\Temp\fc7ff5df12336b0a903b9e653670ecfa8911295b63b733510af4059a0ae110bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6198725.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6198725.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1888340.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1888340.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3938051.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3938051.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4450318.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4450318.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g4016134.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g4016134.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 568
        8⤵
        Program crash
        
        PID:164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 144
        7⤵
        Program crash
        
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6198725.exe

Filesize
994KB

MD5
7d4b6aa546ad3745cb242602c89cc82f

SHA1
62f724c3360f6d80b65108b9c56dff5f6d40bcfe

SHA256
857375336418f214f5d476883342b059ef29018fb24e9abfa0e32ecddb494ed8

SHA512
0a46d45f1682ca2c42e4eb7b62ae32a77bca39767dcc23f94ce809fe254e38fd1a6863d56785a5bbe72f9ff4ca90aaf72d5c45d60b2073f3bd5ab3f5007004cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6198725.exe

Filesize
994KB

MD5
7d4b6aa546ad3745cb242602c89cc82f

SHA1
62f724c3360f6d80b65108b9c56dff5f6d40bcfe

SHA256
857375336418f214f5d476883342b059ef29018fb24e9abfa0e32ecddb494ed8

SHA512
0a46d45f1682ca2c42e4eb7b62ae32a77bca39767dcc23f94ce809fe254e38fd1a6863d56785a5bbe72f9ff4ca90aaf72d5c45d60b2073f3bd5ab3f5007004cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1888340.exe

Filesize
811KB

MD5
717010b9becb9726e225fecf8fc4c8d7

SHA1
7d9eb8ce12e5007fb8c6230265ac7b3f81944efa

SHA256
863e712af74ebb65ef4ec9870155b69a0ca2d8ee1b764c0c8a25b629bd27054f

SHA512
f059efea1d3044dc5264987515295a7f20e686f46beecbd89f67386d77e4ace4d6e39a81881e6eb97bc9a16c9af7a993e500956d88ba4bdb2d8aa0ab2018ff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1888340.exe

Filesize
811KB

MD5
717010b9becb9726e225fecf8fc4c8d7

SHA1
7d9eb8ce12e5007fb8c6230265ac7b3f81944efa

SHA256
863e712af74ebb65ef4ec9870155b69a0ca2d8ee1b764c0c8a25b629bd27054f

SHA512
f059efea1d3044dc5264987515295a7f20e686f46beecbd89f67386d77e4ace4d6e39a81881e6eb97bc9a16c9af7a993e500956d88ba4bdb2d8aa0ab2018ff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3938051.exe

Filesize
548KB

MD5
2cab00fe3fdbee181a25c606e4a00819

SHA1
f09a91e9325f29a857dde6443af4b2e061a52a34

SHA256
c44cab8032469124ab8f16243ed33a082e58f05b0eab9dae213622dea5b6bce3

SHA512
38532f22d913b857be5e67c312f234208073609784158dd20cf2594127f2d1be3b201462cbd70338ac614ed3db855d2d85a22dec5962766f10c98277288afd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3938051.exe

Filesize
548KB

MD5
2cab00fe3fdbee181a25c606e4a00819

SHA1
f09a91e9325f29a857dde6443af4b2e061a52a34

SHA256
c44cab8032469124ab8f16243ed33a082e58f05b0eab9dae213622dea5b6bce3

SHA512
38532f22d913b857be5e67c312f234208073609784158dd20cf2594127f2d1be3b201462cbd70338ac614ed3db855d2d85a22dec5962766f10c98277288afd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4450318.exe

Filesize
382KB

MD5
3edc6c8a01c33ae4f011f735dbc0857c

SHA1
3aabd0e3c91436abb2ce43b4be89a518b83bb403

SHA256
92e6525b01fbc4ca1f1ee953b735d7a13651ce3424159d8ec3a1ac3368eebd24

SHA512
58a581a9d302eef20822c3da4785a7c813f877274dfdeb0976dd4f8dcf3c332c9d7924903a5b9d6cdb43af98c8c03b361b0f60ffc352fae13922b306b1f05de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4450318.exe

Filesize
382KB

MD5
3edc6c8a01c33ae4f011f735dbc0857c

SHA1
3aabd0e3c91436abb2ce43b4be89a518b83bb403

SHA256
92e6525b01fbc4ca1f1ee953b735d7a13651ce3424159d8ec3a1ac3368eebd24

SHA512
58a581a9d302eef20822c3da4785a7c813f877274dfdeb0976dd4f8dcf3c332c9d7924903a5b9d6cdb43af98c8c03b361b0f60ffc352fae13922b306b1f05de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g4016134.exe

Filesize
304KB

MD5
6540937faca120958c0cec82da77f663

SHA1
0073f4691cca4bc6e6b1f910d3a1e03fad5669d4

SHA256
bcfe7dc030a9f4b0c721697e30aee7b27cbb155aba9decf5cad9bc7e3dcaae8e

SHA512
8a730617bc9fd62845bb40547b1b580e04158f83b37238d6fd08f2805f67d840798345a3d0824b026a4076b667687f322e5e2abd55bcbe5340c6e9f11206e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g4016134.exe

Filesize
304KB

MD5
6540937faca120958c0cec82da77f663

SHA1
0073f4691cca4bc6e6b1f910d3a1e03fad5669d4

SHA256
bcfe7dc030a9f4b0c721697e30aee7b27cbb155aba9decf5cad9bc7e3dcaae8e

SHA512
8a730617bc9fd62845bb40547b1b580e04158f83b37238d6fd08f2805f67d840798345a3d0824b026a4076b667687f322e5e2abd55bcbe5340c6e9f11206e713

Download Submit
memory/2992-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2992-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2992-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2992-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads