0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad

General

Target

0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe
Size

928KB
MD5

e86e3225cbacf1340b9b8f894a653510
SHA1

e951652fe627d615003be92c28360a1fb2f69bab
SHA256

0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad
SHA512

b1be99d54f011e30e323524956b7f9a4663d68deabb99eaeb54cf3f648b72954782cf7298ef6ad89db10ae94cb5fa78cbf38a39c26fa5ba1db6c6950b900ea3c
SSDEEP

12288:BMrny905rxdMWUV/6GO8yvUKq/UuxEdUXYSDOi9rDhAUuIQPoEAjRae6zyTXuE:iy4U56G5UuxEdUXY+9rDhAzIo9ylR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4552	x6796756.exe
308	x4014442.exe
3596	x8240295.exe
3544	g0338489.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8240295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6796756.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4014442.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3544 set thread context of 164	3544	g0338489.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1864	3544	WerFault.exe	73
4204	164	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4552	4760	0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe	70
PID 4760 wrote to memory of 4552	4760	0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe	70
PID 4760 wrote to memory of 4552	4760	0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe	70
PID 4552 wrote to memory of 308	4552	x6796756.exe	71
PID 4552 wrote to memory of 308	4552	x6796756.exe	71
PID 4552 wrote to memory of 308	4552	x6796756.exe	71
PID 308 wrote to memory of 3596	308	x4014442.exe	72
PID 308 wrote to memory of 3596	308	x4014442.exe	72
PID 308 wrote to memory of 3596	308	x4014442.exe	72
PID 3596 wrote to memory of 3544	3596	x8240295.exe	73
PID 3596 wrote to memory of 3544	3596	x8240295.exe	73
PID 3596 wrote to memory of 3544	3596	x8240295.exe	73
PID 3544 wrote to memory of 4724	3544	g0338489.exe	75
PID 3544 wrote to memory of 4724	3544	g0338489.exe	75
PID 3544 wrote to memory of 4724	3544	g0338489.exe	75
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76
PID 3544 wrote to memory of 164	3544	g0338489.exe	76

C:\Users\Admin\AppData\Local\Temp\0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe
"C:\Users\Admin\AppData\Local\Temp\0030659fa1bc36e6b6d5a843e6fe8c01eaa6c430b3430ef32dd6e926d508e3ad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6796756.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6796756.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4014442.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4014442.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8240295.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8240295.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0338489.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0338489.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4724
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 164 -s 568
        7⤵
        Program crash
        
        PID:4204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 592
        6⤵
        Program crash
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6796756.exe

Filesize
826KB

MD5
b31e85f9f9a77fd4b808e6ce6b0cf9c3

SHA1
f746f5513362788d58a9e916e33df2b28ba0c173

SHA256
5094ee6cfc4fd0f47a91a0e36a1f7a4f2678b6d107ec010e15dd956f4110c75e

SHA512
b452e987419bd02d5dca828e0406f7d40b5b3fea89dbd1471a70a61fa4c1a59fb7d7ec5762469b8161b371663770a7f0ef8dad702d1bf4c16db8fa256e35fe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6796756.exe

Filesize
826KB

MD5
b31e85f9f9a77fd4b808e6ce6b0cf9c3

SHA1
f746f5513362788d58a9e916e33df2b28ba0c173

SHA256
5094ee6cfc4fd0f47a91a0e36a1f7a4f2678b6d107ec010e15dd956f4110c75e

SHA512
b452e987419bd02d5dca828e0406f7d40b5b3fea89dbd1471a70a61fa4c1a59fb7d7ec5762469b8161b371663770a7f0ef8dad702d1bf4c16db8fa256e35fe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4014442.exe

Filesize
556KB

MD5
ee2d5ab0c8e4cb51075308649b521df7

SHA1
5720be513f8b944464c80a8486abd6a0971b8fe1

SHA256
fec46ed603f2bcca18ba46485cb2a5d5175a0e7a69f217bf0549062fa05c1bbf

SHA512
486e20f37b0237428b5d25c82c2075a48c51d7be34b78641a71cb0b5728e792b50d478cb23dba34d5c88e7b05697c344fa2cf1e1a7095f01d9bb14f2c066b0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4014442.exe

Filesize
556KB

MD5
ee2d5ab0c8e4cb51075308649b521df7

SHA1
5720be513f8b944464c80a8486abd6a0971b8fe1

SHA256
fec46ed603f2bcca18ba46485cb2a5d5175a0e7a69f217bf0549062fa05c1bbf

SHA512
486e20f37b0237428b5d25c82c2075a48c51d7be34b78641a71cb0b5728e792b50d478cb23dba34d5c88e7b05697c344fa2cf1e1a7095f01d9bb14f2c066b0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8240295.exe

Filesize
390KB

MD5
2edfec9b922c03e66dc843caf2fa2bfa

SHA1
c64d441e7514024e3b78c7811f4807dc3ee1ef2a

SHA256
8784cc7467954f84aefde0b4fdae2235dd6d5ce255a9a355dcaeb25abf80ff07

SHA512
68ccd2d852b18e61c353c7bd974dfbea4c56143fa1c044b291c718b5886e4b67270514f77e0c06ae78e7101f377828a256f42cee92506b126568deb083610cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8240295.exe

Filesize
390KB

MD5
2edfec9b922c03e66dc843caf2fa2bfa

SHA1
c64d441e7514024e3b78c7811f4807dc3ee1ef2a

SHA256
8784cc7467954f84aefde0b4fdae2235dd6d5ce255a9a355dcaeb25abf80ff07

SHA512
68ccd2d852b18e61c353c7bd974dfbea4c56143fa1c044b291c718b5886e4b67270514f77e0c06ae78e7101f377828a256f42cee92506b126568deb083610cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
memory/164-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/164-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/164-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/164-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads