38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7

Analysis

max time kernel
128s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01-10-2023 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe
Size

1.0MB
MD5

cbbe19f8e7d22946b9a2082f7d1ca7a9
SHA1

4e982a82d16d0c7c638785f3ce39aab55d3222bc
SHA256

38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7
SHA512

ca78e41f5c65d12027fa42e071c27179ae33145215c2bd008a0895b6c37676757d766b43bc8eac40a6a6de8d4b34c2b2ba6ce6ae76c70eee7412b22ccdc41c5c
SSDEEP

24576:vy+2u5kGVmeCPRy746Jo9hr0LzTBB75aV3I/+8:6+2useCPRyo3ABq3G+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
760	x4808053.exe
3268	x5932004.exe
4140	x4717057.exe
1452	x3364050.exe
5032	g7633796.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x3364050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4808053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5932004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4717057.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5032 set thread context of 3800	5032	g7633796.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2564	5032	WerFault.exe	73
340	3800	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 760	5096	38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe	69
PID 5096 wrote to memory of 760	5096	38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe	69
PID 5096 wrote to memory of 760	5096	38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe	69
PID 760 wrote to memory of 3268	760	x4808053.exe	70
PID 760 wrote to memory of 3268	760	x4808053.exe	70
PID 760 wrote to memory of 3268	760	x4808053.exe	70
PID 3268 wrote to memory of 4140	3268	x5932004.exe	71
PID 3268 wrote to memory of 4140	3268	x5932004.exe	71
PID 3268 wrote to memory of 4140	3268	x5932004.exe	71
PID 4140 wrote to memory of 1452	4140	x4717057.exe	72
PID 4140 wrote to memory of 1452	4140	x4717057.exe	72
PID 4140 wrote to memory of 1452	4140	x4717057.exe	72
PID 1452 wrote to memory of 5032	1452	x3364050.exe	73
PID 1452 wrote to memory of 5032	1452	x3364050.exe	73
PID 1452 wrote to memory of 5032	1452	x3364050.exe	73
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75
PID 5032 wrote to memory of 3800	5032	g7633796.exe	75

C:\Users\Admin\AppData\Local\Temp\38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe
"C:\Users\Admin\AppData\Local\Temp\38a3e0577161839fb6363212b4416b708a9bab164366afad27325b07871da8e7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4808053.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4808053.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5932004.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5932004.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4717057.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4717057.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3364050.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3364050.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7633796.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7633796.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 568
        8⤵
        Program crash
        
        PID:340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 572
        7⤵
        Program crash
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4808053.exe

Filesize
930KB

MD5
f513fb861d9ef7b5a0882a5d4a5d4db5

SHA1
bea33ecada1d27c62bd1b2666c9288c032a8fff6

SHA256
f2e74e1709e6b527bc1bcf42877a2515a65b09cb1fa37efcc22f2d63722c879d

SHA512
00ab04d6d37976f8599dbaa0df629cb68d5e9b6910e3feaa30127912c638edb5aee7231316f2094f5aeffbffb89035ba0ae0ef9796f4938863cfce8d9ce7aabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4808053.exe

Filesize
930KB

MD5
f513fb861d9ef7b5a0882a5d4a5d4db5

SHA1
bea33ecada1d27c62bd1b2666c9288c032a8fff6

SHA256
f2e74e1709e6b527bc1bcf42877a2515a65b09cb1fa37efcc22f2d63722c879d

SHA512
00ab04d6d37976f8599dbaa0df629cb68d5e9b6910e3feaa30127912c638edb5aee7231316f2094f5aeffbffb89035ba0ae0ef9796f4938863cfce8d9ce7aabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5932004.exe

Filesize
748KB

MD5
70c988e2d8be43a178ad6d23d5b0abb8

SHA1
8c0736880227fd13d86875ae227a2aa664280984

SHA256
004a6459e4932598f242862646ec5a5d91fcbc9f12b1d222065e02ac07023c50

SHA512
99edd12fb66b1be0a0e53d08fa13127734e1f7db79e430d7668a49f9ce1b02fd55b64605af09ff9a74e42dc99b4573b4f4d3b3c0bfa24ad44b35dddd6663266f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5932004.exe

Filesize
748KB

MD5
70c988e2d8be43a178ad6d23d5b0abb8

SHA1
8c0736880227fd13d86875ae227a2aa664280984

SHA256
004a6459e4932598f242862646ec5a5d91fcbc9f12b1d222065e02ac07023c50

SHA512
99edd12fb66b1be0a0e53d08fa13127734e1f7db79e430d7668a49f9ce1b02fd55b64605af09ff9a74e42dc99b4573b4f4d3b3c0bfa24ad44b35dddd6663266f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4717057.exe

Filesize
516KB

MD5
88443b819079a823e93ccde884cf63e2

SHA1
99ad2c6eadf3cf14f171424c7847357c7ddda002

SHA256
df995202ce5defeabe1e90ea74fd97ff02a35d881590756ba54c140d38af322b

SHA512
7f2d06114477ddcca857301d9adc3cfea59470d2ee8c43d365977c67a5e6c076802e8b89915bb395a9c61dc8308380f1071e8fdc755e4216514e41b58fee99b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4717057.exe

Filesize
516KB

MD5
88443b819079a823e93ccde884cf63e2

SHA1
99ad2c6eadf3cf14f171424c7847357c7ddda002

SHA256
df995202ce5defeabe1e90ea74fd97ff02a35d881590756ba54c140d38af322b

SHA512
7f2d06114477ddcca857301d9adc3cfea59470d2ee8c43d365977c67a5e6c076802e8b89915bb395a9c61dc8308380f1071e8fdc755e4216514e41b58fee99b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3364050.exe

Filesize
350KB

MD5
d90ac37e29a3e342d9c6971effad071e

SHA1
279b81933ca288f75458c5ba0d998f4476d787fb

SHA256
ff85468f4f01c4f5d07d638241215dcbeb9d2d033df2a931935c48e0867dba8e

SHA512
650cc5a5930dd3ca6f25611b919af3273bcb4316b30be3749875b672b5c8a9a721a899c3824ec9cf053946373e90069afb3716214d22f668ffaa39a9cbd147eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3364050.exe

Filesize
350KB

MD5
d90ac37e29a3e342d9c6971effad071e

SHA1
279b81933ca288f75458c5ba0d998f4476d787fb

SHA256
ff85468f4f01c4f5d07d638241215dcbeb9d2d033df2a931935c48e0867dba8e

SHA512
650cc5a5930dd3ca6f25611b919af3273bcb4316b30be3749875b672b5c8a9a721a899c3824ec9cf053946373e90069afb3716214d22f668ffaa39a9cbd147eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7633796.exe

Filesize
276KB

MD5
a0e8adf682e02096d8cacbbf2d7db557

SHA1
3dfc7edfac3ec776d13bd2a152047bc5569ee6aa

SHA256
d4ca9a944c9018330740c3e0a7364ce09c08bf78a065f59392c5896d036b2e52

SHA512
a1f89ed35904b9b438a563f2def20cd113736d5d4be0ff642b2d6f1eaa5ec99389dcc21081bef4f38abb4aacc0160832bb986a192214b4816f4b62253f6ea86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7633796.exe

Filesize
276KB

MD5
a0e8adf682e02096d8cacbbf2d7db557

SHA1
3dfc7edfac3ec776d13bd2a152047bc5569ee6aa

SHA256
d4ca9a944c9018330740c3e0a7364ce09c08bf78a065f59392c5896d036b2e52

SHA512
a1f89ed35904b9b438a563f2def20cd113736d5d4be0ff642b2d6f1eaa5ec99389dcc21081bef4f38abb4aacc0160832bb986a192214b4816f4b62253f6ea86a

Download Submit
memory/3800-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3800-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3800-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3800-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads