936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451

Analysis

max time kernel
124s
max time network
129s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02-10-2023 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe
Size

1.1MB
MD5

82f409205cbaa7921a51f18f7284b0c9
SHA1

8bca1d577a4fd0c5fd57c3ceaf401a8893c2ecc9
SHA256

936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451
SHA512

49888028bb4729e74166bafcbffd5ecba85b2b8279e075d300ef81848c7042385850f2db1f0ce6b6dbe0a28ae0158993ea4c4d3dec8579df6769124d245de24e
SSDEEP

24576:hyrjc6W7RpO/p2OWTwMSYTifmV7wFQUhj03Oz+/:UPc6n/p2O/1fPFQsgO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3412	XR0rF8pi.exe
4112	qh4he7Xz.exe
644	Qd6fq2Ju.exe
1320	cW1hz3Fw.exe
4948	Io94xX9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	XR0rF8pi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qh4he7Xz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qd6fq2Ju.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cW1hz3Fw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 2200	4948	Io94xX9.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4716	4948	WerFault.exe	74
3692	2200	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3412	2348	936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe	70
PID 2348 wrote to memory of 3412	2348	936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe	70
PID 2348 wrote to memory of 3412	2348	936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe	70
PID 3412 wrote to memory of 4112	3412	XR0rF8pi.exe	71
PID 3412 wrote to memory of 4112	3412	XR0rF8pi.exe	71
PID 3412 wrote to memory of 4112	3412	XR0rF8pi.exe	71
PID 4112 wrote to memory of 644	4112	qh4he7Xz.exe	72
PID 4112 wrote to memory of 644	4112	qh4he7Xz.exe	72
PID 4112 wrote to memory of 644	4112	qh4he7Xz.exe	72
PID 644 wrote to memory of 1320	644	Qd6fq2Ju.exe	73
PID 644 wrote to memory of 1320	644	Qd6fq2Ju.exe	73
PID 644 wrote to memory of 1320	644	Qd6fq2Ju.exe	73
PID 1320 wrote to memory of 4948	1320	cW1hz3Fw.exe	74
PID 1320 wrote to memory of 4948	1320	cW1hz3Fw.exe	74
PID 1320 wrote to memory of 4948	1320	cW1hz3Fw.exe	74
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76
PID 4948 wrote to memory of 2200	4948	Io94xX9.exe	76

C:\Users\Admin\AppData\Local\Temp\936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe
"C:\Users\Admin\AppData\Local\Temp\936a8ad463e024524ee4c6f53eef0f15755a31d53e08982afecfd51cd6b81451.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR0rF8pi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR0rF8pi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qh4he7Xz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qh4he7Xz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qd6fq2Ju.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qd6fq2Ju.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cW1hz3Fw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cW1hz3Fw.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Io94xX9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Io94xX9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 568
        8⤵
        Program crash
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 588
        7⤵
        Program crash
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR0rF8pi.exe

Filesize
994KB

MD5
4865588cd2bba41cf7bd0dcdccf9945b

SHA1
e003c15a2290a4ab67a70b94260f8339ec7a6c1d

SHA256
e927f1d49a38e73cb9d09d06e86a6b719ad0810eb02aa6b8ea88fee17e0589ed

SHA512
77c5f3d52e6e320a3c3dad0a268bdc773b029f570cd65f1d875f94e699cda92e3374054d474c86ae210eed6337fe6c04d4cc4e25826cc54c46dd4541dfa060ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR0rF8pi.exe

Filesize
994KB

MD5
4865588cd2bba41cf7bd0dcdccf9945b

SHA1
e003c15a2290a4ab67a70b94260f8339ec7a6c1d

SHA256
e927f1d49a38e73cb9d09d06e86a6b719ad0810eb02aa6b8ea88fee17e0589ed

SHA512
77c5f3d52e6e320a3c3dad0a268bdc773b029f570cd65f1d875f94e699cda92e3374054d474c86ae210eed6337fe6c04d4cc4e25826cc54c46dd4541dfa060ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qh4he7Xz.exe

Filesize
828KB

MD5
65c416945df75d9e95beeb99b4d3f54f

SHA1
35af28addd5da7abe2d458e82a220c2321748913

SHA256
23982216f41925ed80b27dae3ed8fa35beea97c25b84587d2c0bb429ba83a788

SHA512
87f8cdd5a08c00086213f435f7080c361c27e0e92360301d97e73ca59165a797fa24cd712c14bef4257daeee011dbae51de3df5d17ca94a97c1cb8ea6303ae41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qh4he7Xz.exe

Filesize
828KB

MD5
65c416945df75d9e95beeb99b4d3f54f

SHA1
35af28addd5da7abe2d458e82a220c2321748913

SHA256
23982216f41925ed80b27dae3ed8fa35beea97c25b84587d2c0bb429ba83a788

SHA512
87f8cdd5a08c00086213f435f7080c361c27e0e92360301d97e73ca59165a797fa24cd712c14bef4257daeee011dbae51de3df5d17ca94a97c1cb8ea6303ae41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qd6fq2Ju.exe

Filesize
645KB

MD5
fd11d2ebd092acb32adaeec54492ddbd

SHA1
31ca2445b3163dae9651a9e169f02d7465475d80

SHA256
55b0052edab6226becd72eab916d135671790298c6d5e44ae8e3f7280435aec6

SHA512
de45989e3d3e3c4422fb5cd024904b938528e307bc88f40ed731daf7cfd3cad0f3f173a2cdb30cc42bb6887a6303ed2fafda7573f70cf8f37ba9bc5310c0c175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qd6fq2Ju.exe

Filesize
645KB

MD5
fd11d2ebd092acb32adaeec54492ddbd

SHA1
31ca2445b3163dae9651a9e169f02d7465475d80

SHA256
55b0052edab6226becd72eab916d135671790298c6d5e44ae8e3f7280435aec6

SHA512
de45989e3d3e3c4422fb5cd024904b938528e307bc88f40ed731daf7cfd3cad0f3f173a2cdb30cc42bb6887a6303ed2fafda7573f70cf8f37ba9bc5310c0c175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cW1hz3Fw.exe

Filesize
382KB

MD5
b83eb4599632d59584ee2d80560d2509

SHA1
a630959a913171a153e01997c88f8763a428f95c

SHA256
aca63dcf1c4d836fab081c3028aa3e481e91094d42b4250e391a034e5c0dd299

SHA512
7f53bb31a1b8818dae2753ffae2f6d00bb90c20e182d36150a54de2c894d85c7b5a68a251201852e855678843bd4ed49ddda927ef964c1bdb1c2b29b55650641

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cW1hz3Fw.exe

Filesize
382KB

MD5
b83eb4599632d59584ee2d80560d2509

SHA1
a630959a913171a153e01997c88f8763a428f95c

SHA256
aca63dcf1c4d836fab081c3028aa3e481e91094d42b4250e391a034e5c0dd299

SHA512
7f53bb31a1b8818dae2753ffae2f6d00bb90c20e182d36150a54de2c894d85c7b5a68a251201852e855678843bd4ed49ddda927ef964c1bdb1c2b29b55650641

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Io94xX9.exe

Filesize
304KB

MD5
70ac593e79f738f2fc7e216f0db85f41

SHA1
1d8e6efa2f088d3ef6718c6a3b03c585ce10a605

SHA256
934ca55f36701e2f04d764fda8c603d259a72d00f0d27e8e11d0d1bb8081a111

SHA512
9a1531acdf4af7b75d4b0c08c72f87b5d7a94fd43b1042e53c2799ce7cd3994c00873744f5cfcce07aeaf864114a01ffd10a6a2e6493b93a4096d23baa74d87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Io94xX9.exe

Filesize
304KB

MD5
70ac593e79f738f2fc7e216f0db85f41

SHA1
1d8e6efa2f088d3ef6718c6a3b03c585ce10a605

SHA256
934ca55f36701e2f04d764fda8c603d259a72d00f0d27e8e11d0d1bb8081a111

SHA512
9a1531acdf4af7b75d4b0c08c72f87b5d7a94fd43b1042e53c2799ce7cd3994c00873744f5cfcce07aeaf864114a01ffd10a6a2e6493b93a4096d23baa74d87a

Download Submit
memory/2200-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads