294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd

Analysis

max time kernel
65s
max time network
70s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01/10/2023, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe
Size

1.0MB
MD5

ee2a30e94d246c7582b1f1717fc16f6b
SHA1

1416b10caf39306f3cf84e3fb7d97cd877e5f199
SHA256

294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd
SHA512

fb26397408618f29be322f462faffe11d05fc232dc17407f3a20330d1fc4c175799ee3298e91d5ed3f9a31248db477a6bec704cf09cde097580fd2c88c6f2383
SSDEEP

24576:4y1UhN4uIttU38/W3eMolARgQ+XS4myQG:/1g9kWEu6TiP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1552	x8421190.exe
5008	x5590585.exe
4708	x0687043.exe
4932	x2893678.exe
1580	g9218318.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x2893678.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8421190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5590585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0687043.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 4304	1580	g9218318.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
164	1580	WerFault.exe	72
200	4304	WerFault.exe	74

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1552	1784	294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe	68
PID 1784 wrote to memory of 1552	1784	294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe	68
PID 1784 wrote to memory of 1552	1784	294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe	68
PID 1552 wrote to memory of 5008	1552	x8421190.exe	69
PID 1552 wrote to memory of 5008	1552	x8421190.exe	69
PID 1552 wrote to memory of 5008	1552	x8421190.exe	69
PID 5008 wrote to memory of 4708	5008	x5590585.exe	70
PID 5008 wrote to memory of 4708	5008	x5590585.exe	70
PID 5008 wrote to memory of 4708	5008	x5590585.exe	70
PID 4708 wrote to memory of 4932	4708	x0687043.exe	71
PID 4708 wrote to memory of 4932	4708	x0687043.exe	71
PID 4708 wrote to memory of 4932	4708	x0687043.exe	71
PID 4932 wrote to memory of 1580	4932	x2893678.exe	72
PID 4932 wrote to memory of 1580	4932	x2893678.exe	72
PID 4932 wrote to memory of 1580	4932	x2893678.exe	72
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74
PID 1580 wrote to memory of 4304	1580	g9218318.exe	74

C:\Users\Admin\AppData\Local\Temp\294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe
"C:\Users\Admin\AppData\Local\Temp\294ad811e056ad5f21ceb316a637d003ccd8e15717e647563f6acfafab0a1abd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8421190.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8421190.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5590585.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5590585.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0687043.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0687043.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2893678.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2893678.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9218318.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9218318.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 568
        8⤵
        Program crash
        
        PID:200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 572
        7⤵
        Program crash
        
        PID:164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8421190.exe

Filesize
929KB

MD5
11f4fbeef3da064ea49cbec9eab2b853

SHA1
e5774d26ab2453e417b596cb4651453bbcade17f

SHA256
ffef16470d10a318f741203ba213382e3256c8cce5b42620765935da8bc958f4

SHA512
02da76ca2f68bf2724955cbd4f5622684de4b0881e8ad653851780320c6c0fb93aada168848bf8ce33aca60be65d9a8a4eb80ab44c8dfd5f3afbaaac810233a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8421190.exe

Filesize
929KB

MD5
11f4fbeef3da064ea49cbec9eab2b853

SHA1
e5774d26ab2453e417b596cb4651453bbcade17f

SHA256
ffef16470d10a318f741203ba213382e3256c8cce5b42620765935da8bc958f4

SHA512
02da76ca2f68bf2724955cbd4f5622684de4b0881e8ad653851780320c6c0fb93aada168848bf8ce33aca60be65d9a8a4eb80ab44c8dfd5f3afbaaac810233a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5590585.exe

Filesize
747KB

MD5
023ee15df8c65a89b1db11099e558c65

SHA1
727cd054fe5e1679ddc6f43ec0c2e11ab60e3d49

SHA256
6d9566f233457755ecf5cb6230649c159b242dcf26c019a404b12dbb0c72be7c

SHA512
4ce567c1d46401757172f810333ccc7a9a4c92603609f0ecc65361af1c2bd5fa4dfe9b4715bc08bae1ff178514623edd40c84ada0b4f22099428713d97b33091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5590585.exe

Filesize
747KB

MD5
023ee15df8c65a89b1db11099e558c65

SHA1
727cd054fe5e1679ddc6f43ec0c2e11ab60e3d49

SHA256
6d9566f233457755ecf5cb6230649c159b242dcf26c019a404b12dbb0c72be7c

SHA512
4ce567c1d46401757172f810333ccc7a9a4c92603609f0ecc65361af1c2bd5fa4dfe9b4715bc08bae1ff178514623edd40c84ada0b4f22099428713d97b33091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0687043.exe

Filesize
516KB

MD5
8e9acf5d22d63522ac394eeb8cac7693

SHA1
b66bcabe81e0c3048aa5be2074610d268c62144f

SHA256
6c4325da4b05e0f441dcffc5eb70372b1d0d083c90ea16aadbe4f8a9585eaa3a

SHA512
161141d3d17db4a3580fafb04ef9b622358e31cd0c3994f4c97daaaf075fb02efe9ad2e3ff96ad3c1c4afa9a42de44d56a29fa2ca71b5a155c4c53ebd431a9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0687043.exe

Filesize
516KB

MD5
8e9acf5d22d63522ac394eeb8cac7693

SHA1
b66bcabe81e0c3048aa5be2074610d268c62144f

SHA256
6c4325da4b05e0f441dcffc5eb70372b1d0d083c90ea16aadbe4f8a9585eaa3a

SHA512
161141d3d17db4a3580fafb04ef9b622358e31cd0c3994f4c97daaaf075fb02efe9ad2e3ff96ad3c1c4afa9a42de44d56a29fa2ca71b5a155c4c53ebd431a9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2893678.exe

Filesize
351KB

MD5
fd5a8ede9daaaa02c00038351d52a549

SHA1
e361ca559bc404efa0b2e05fc6d725ad3289299f

SHA256
5690379e3cd9228514fb6bfbf1ba61a1b08dccf18d5b794c5d06bc924cde0000

SHA512
ab1fa4c53e552aedc907d4a8190c61b6af93afa6698748c409cf03c2f345ba832a19bc980de623688910f42ed1d3b649cb17f33fe1c6abd36631932cec09d2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2893678.exe

Filesize
351KB

MD5
fd5a8ede9daaaa02c00038351d52a549

SHA1
e361ca559bc404efa0b2e05fc6d725ad3289299f

SHA256
5690379e3cd9228514fb6bfbf1ba61a1b08dccf18d5b794c5d06bc924cde0000

SHA512
ab1fa4c53e552aedc907d4a8190c61b6af93afa6698748c409cf03c2f345ba832a19bc980de623688910f42ed1d3b649cb17f33fe1c6abd36631932cec09d2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9218318.exe

Filesize
276KB

MD5
ba1ee121b9d5b99811bbe4e2272843fa

SHA1
f1b6029835e77d3832f6eb175e4edf5b9a9d7543

SHA256
2a066f1c554f726e7b236065b4d1652a170b4352820f2d63ebe960f3f20996ba

SHA512
6ffcf8c6f04abc7b846fb752d2bc7538b08c67f1ff2be40d2fd4bba5b1b05ca490d69e858ec16890e9877c1011e0152dbfadd607ab568008bf88829d362a6d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g9218318.exe

Filesize
276KB

MD5
ba1ee121b9d5b99811bbe4e2272843fa

SHA1
f1b6029835e77d3832f6eb175e4edf5b9a9d7543

SHA256
2a066f1c554f726e7b236065b4d1652a170b4352820f2d63ebe960f3f20996ba

SHA512
6ffcf8c6f04abc7b846fb752d2bc7538b08c67f1ff2be40d2fd4bba5b1b05ca490d69e858ec16890e9877c1011e0152dbfadd607ab568008bf88829d362a6d3c

Download Submit
memory/4304-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4304-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4304-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4304-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads