76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f

Analysis

max time kernel
128s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01/10/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe
Size

1.1MB
MD5

b50f0019953672c2e9079cd2c79c45a2
SHA1

f44b0fe381e8eace2d7804173dde9d44de86c376
SHA256

76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f
SHA512

1da0de23b9124007770fb69767614bb5f03ec5bef4afba3bb42952f53dcdd4f43f38569e8e6b2a3e736f8d72f2f61b2a3a96f81d2f6aaff43f5082ddc3ca2462
SSDEEP

24576:sycB+hLtMNFYZHY+WJZfV4suZkdKe7MFXO3ioIDCa+t+ZVTx8bvyERW38:bE+hL3BqztIidNgo3il/Tx8b6EQ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3688	x3005061.exe
2364	x9929764.exe
5056	x3329014.exe
3264	x5662671.exe
4900	g1338340.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x5662671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3005061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9929764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3329014.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 1696	4900	g1338340.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4952	4900	WerFault.exe	74
1632	1696	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 3688	1804	76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe	70
PID 1804 wrote to memory of 3688	1804	76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe	70
PID 1804 wrote to memory of 3688	1804	76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe	70
PID 3688 wrote to memory of 2364	3688	x3005061.exe	71
PID 3688 wrote to memory of 2364	3688	x3005061.exe	71
PID 3688 wrote to memory of 2364	3688	x3005061.exe	71
PID 2364 wrote to memory of 5056	2364	x9929764.exe	72
PID 2364 wrote to memory of 5056	2364	x9929764.exe	72
PID 2364 wrote to memory of 5056	2364	x9929764.exe	72
PID 5056 wrote to memory of 3264	5056	x3329014.exe	73
PID 5056 wrote to memory of 3264	5056	x3329014.exe	73
PID 5056 wrote to memory of 3264	5056	x3329014.exe	73
PID 3264 wrote to memory of 4900	3264	x5662671.exe	74
PID 3264 wrote to memory of 4900	3264	x5662671.exe	74
PID 3264 wrote to memory of 4900	3264	x5662671.exe	74
PID 4900 wrote to memory of 3972	4900	g1338340.exe	76
PID 4900 wrote to memory of 3972	4900	g1338340.exe	76
PID 4900 wrote to memory of 3972	4900	g1338340.exe	76
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77
PID 4900 wrote to memory of 1696	4900	g1338340.exe	77

C:\Users\Admin\AppData\Local\Temp\76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe
"C:\Users\Admin\AppData\Local\Temp\76a61ea0938ff632e0b47be7f9be40364b6c3f45216d79f4d0b460111b259b0f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005061.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9929764.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9929764.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3329014.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3329014.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5662671.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5662671.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1338340.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1338340.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 568
        8⤵
        Program crash
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 612
        7⤵
        Program crash
        
        PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005061.exe

Filesize
994KB

MD5
12c1bceb9212260ec46cc7242fcc04a5

SHA1
44776823e6a2e6d03a03741a7042fe8a054e82ac

SHA256
7fdca5a47b8246a856b1d76cf6792c65ae9b4f17e4f9f8ac7ecad21a33874c68

SHA512
c00a898846a7743711f5172964a339b8c3325aac46abd6a16496fd0f4650a99a10c9eae0e3bf3619c45bdf1293d0e53f325397a8f8243f91bd4d33b18f633ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005061.exe

Filesize
994KB

MD5
12c1bceb9212260ec46cc7242fcc04a5

SHA1
44776823e6a2e6d03a03741a7042fe8a054e82ac

SHA256
7fdca5a47b8246a856b1d76cf6792c65ae9b4f17e4f9f8ac7ecad21a33874c68

SHA512
c00a898846a7743711f5172964a339b8c3325aac46abd6a16496fd0f4650a99a10c9eae0e3bf3619c45bdf1293d0e53f325397a8f8243f91bd4d33b18f633ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9929764.exe

Filesize
811KB

MD5
1545ade4262867f621c44dd79d5f47d2

SHA1
5a6210847f2b41cb9b29949d97f09a711e17d86e

SHA256
7217e537827b25dbd7066741c97f516836161836f5e9b9f9b1890952f161fc0c

SHA512
c729c7354a46221e290cdf8cc04a31a130e4dcacccb628e6d03b0255b5c8f51bdaae5e97f5b712545c24cc8275e565b87d80d32f30e1b51278b4f667ddca54bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9929764.exe

Filesize
811KB

MD5
1545ade4262867f621c44dd79d5f47d2

SHA1
5a6210847f2b41cb9b29949d97f09a711e17d86e

SHA256
7217e537827b25dbd7066741c97f516836161836f5e9b9f9b1890952f161fc0c

SHA512
c729c7354a46221e290cdf8cc04a31a130e4dcacccb628e6d03b0255b5c8f51bdaae5e97f5b712545c24cc8275e565b87d80d32f30e1b51278b4f667ddca54bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3329014.exe

Filesize
548KB

MD5
255a40d6270fab4dafa5e04260b743cc

SHA1
d4ace1af0d4896745277d5f976ec600db0b0decb

SHA256
e8f96ed668c35be5690e374865f5de6c463ce2e21022df1b5035574310188a90

SHA512
7cee8ec4a057b160f75e6fc1bdb59b7a2cfa6bc927d3b3d7b7f1abb34b680f12bc6e54a216764f1bc7c64dbeca8aec5b1f6d1e38398a0d2e255ff13af7796cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3329014.exe

Filesize
548KB

MD5
255a40d6270fab4dafa5e04260b743cc

SHA1
d4ace1af0d4896745277d5f976ec600db0b0decb

SHA256
e8f96ed668c35be5690e374865f5de6c463ce2e21022df1b5035574310188a90

SHA512
7cee8ec4a057b160f75e6fc1bdb59b7a2cfa6bc927d3b3d7b7f1abb34b680f12bc6e54a216764f1bc7c64dbeca8aec5b1f6d1e38398a0d2e255ff13af7796cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5662671.exe

Filesize
382KB

MD5
03a0025d39bab3f3aa2e1d47f11f06d5

SHA1
5322befe4d7582658d702a70c9ade0b5c02d052e

SHA256
97af3ad97a290ca68dc58888b4b3034bd20e1d21bcaccc1c6357b20c3e61e202

SHA512
610d9de8dd3aad2a246791820d6ba9cff769d544477b41aae427fce5da798c801a6c46d230e174a20e743ba6908942515fd74141879d9361ce156f0da01ae022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5662671.exe

Filesize
382KB

MD5
03a0025d39bab3f3aa2e1d47f11f06d5

SHA1
5322befe4d7582658d702a70c9ade0b5c02d052e

SHA256
97af3ad97a290ca68dc58888b4b3034bd20e1d21bcaccc1c6357b20c3e61e202

SHA512
610d9de8dd3aad2a246791820d6ba9cff769d544477b41aae427fce5da798c801a6c46d230e174a20e743ba6908942515fd74141879d9361ce156f0da01ae022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1338340.exe

Filesize
304KB

MD5
a8e1215ca89c33dc92a6682fe5265952

SHA1
22f62ec358b7da47016eb9c321eb497465e3e14b

SHA256
51726f7705965db0b73e24ca414cfd940151bd07b68587bd692e5c0f0a25d3e6

SHA512
1cb305b7ab6b28d76bfa2169a2b382b46fc2c8cd3ecb8d3cdba7596d82996144fc3644c433bd005019be12aee123ab6f8b9f7753f8337613fdd4bd5e99eb8805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g1338340.exe

Filesize
304KB

MD5
a8e1215ca89c33dc92a6682fe5265952

SHA1
22f62ec358b7da47016eb9c321eb497465e3e14b

SHA256
51726f7705965db0b73e24ca414cfd940151bd07b68587bd692e5c0f0a25d3e6

SHA512
1cb305b7ab6b28d76bfa2169a2b382b46fc2c8cd3ecb8d3cdba7596d82996144fc3644c433bd005019be12aee123ab6f8b9f7753f8337613fdd4bd5e99eb8805

Download Submit
memory/1696-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1696-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1696-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1696-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads