5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594

Analysis

max time kernel
127s
max time network
135s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe
Size

1.1MB
MD5

785f33624aaf4f17f712447fb700a5fc
SHA1

7ee5703ca85e78435b15719d5b96b729256a5fad
SHA256

5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594
SHA512

bbe0fe1796d38a4123fb83723706bd43e05c2abac65c953abbf3c956815ca8bade797ed486d07981fdae5c62870fd461d78a5e6b5ccb1c4d9c440db3249d1e97
SSDEEP

24576:TyYRlk6YKN+UFFFhR/KVzQVylrozAqbjVk5W03XbztN:mYHkaA2FFhxKFQykzAm8Fnbzt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
428	cw2ft0Ox.exe
2100	cu9FG2OP.exe
2112	Ua4Pw3nz.exe
2972	GY2TF7Xv.exe
3772	1wv29Ra8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cw2ft0Ox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cu9FG2OP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ua4Pw3nz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	GY2TF7Xv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3772 set thread context of 2748	3772	1wv29Ra8.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1944	3772	WerFault.exe	74
308	2748	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 428	2956	5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe	70
PID 2956 wrote to memory of 428	2956	5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe	70
PID 2956 wrote to memory of 428	2956	5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe	70
PID 428 wrote to memory of 2100	428	cw2ft0Ox.exe	71
PID 428 wrote to memory of 2100	428	cw2ft0Ox.exe	71
PID 428 wrote to memory of 2100	428	cw2ft0Ox.exe	71
PID 2100 wrote to memory of 2112	2100	cu9FG2OP.exe	72
PID 2100 wrote to memory of 2112	2100	cu9FG2OP.exe	72
PID 2100 wrote to memory of 2112	2100	cu9FG2OP.exe	72
PID 2112 wrote to memory of 2972	2112	Ua4Pw3nz.exe	73
PID 2112 wrote to memory of 2972	2112	Ua4Pw3nz.exe	73
PID 2112 wrote to memory of 2972	2112	Ua4Pw3nz.exe	73
PID 2972 wrote to memory of 3772	2972	GY2TF7Xv.exe	74
PID 2972 wrote to memory of 3772	2972	GY2TF7Xv.exe	74
PID 2972 wrote to memory of 3772	2972	GY2TF7Xv.exe	74
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76
PID 3772 wrote to memory of 2748	3772	1wv29Ra8.exe	76

C:\Users\Admin\AppData\Local\Temp\5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe
"C:\Users\Admin\AppData\Local\Temp\5b83bf7c89b3ae3dcda677f1c30c27f35c0172afdc861be840dcae80b5020594.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cw2ft0Ox.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cw2ft0Ox.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu9FG2OP.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu9FG2OP.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ua4Pw3nz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ua4Pw3nz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY2TF7Xv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY2TF7Xv.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv29Ra8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv29Ra8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 568
        8⤵
        Program crash
        
        PID:308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 588
        7⤵
        Program crash
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cw2ft0Ox.exe

Filesize
961KB

MD5
99c1139c59cfc0be8211fc28a15be2a2

SHA1
e914c357d7d16d04837ad4cfa6103aa0f1b0516e

SHA256
555d4c98bdf6e63147598350f8f98822b5b562bea965439fb90cacb62c73c3ea

SHA512
3d7b7b6c71febd8f3fa3a08d45cca144acbb5c12f0a8b52432b8b56a4ef2eeb287e1df85c4b4e20dd5254e4eab5acbd4c71917267be0ce1e552714e487a1efff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cw2ft0Ox.exe

Filesize
961KB

MD5
99c1139c59cfc0be8211fc28a15be2a2

SHA1
e914c357d7d16d04837ad4cfa6103aa0f1b0516e

SHA256
555d4c98bdf6e63147598350f8f98822b5b562bea965439fb90cacb62c73c3ea

SHA512
3d7b7b6c71febd8f3fa3a08d45cca144acbb5c12f0a8b52432b8b56a4ef2eeb287e1df85c4b4e20dd5254e4eab5acbd4c71917267be0ce1e552714e487a1efff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu9FG2OP.exe

Filesize
778KB

MD5
e4b52897d9034f67fbfe69c0df1e3b9f

SHA1
533b6ca71dd853cb62466f578447a1c0c303ccb3

SHA256
88924e559858cdaea41f1857f6a2411c1738727f4037f8c698a2f05841b40b12

SHA512
f05142b12f7e5ddb83c2dbddeb32b626d7d39116028ad7f26b1c87be86e8f6cb6c87dd0d42924a81faf153fdfad41dcc662cd8ea45748523fe75221457736b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu9FG2OP.exe

Filesize
778KB

MD5
e4b52897d9034f67fbfe69c0df1e3b9f

SHA1
533b6ca71dd853cb62466f578447a1c0c303ccb3

SHA256
88924e559858cdaea41f1857f6a2411c1738727f4037f8c698a2f05841b40b12

SHA512
f05142b12f7e5ddb83c2dbddeb32b626d7d39116028ad7f26b1c87be86e8f6cb6c87dd0d42924a81faf153fdfad41dcc662cd8ea45748523fe75221457736b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ua4Pw3nz.exe

Filesize
531KB

MD5
b44081a6d8862262eadb85b99edd191d

SHA1
b9a75cb03799ef253832e7bd8d5d7a39e381518a

SHA256
b84393b14cdd98c14f356c4700bfce284518848f14fc01ad3041d0c35c70e579

SHA512
1f407ad6883bb050846c0a05fa1641bc64203ddd334a0539f72972d5d700e639040f26b0737b910fa819931f60a2c65c6a528b7e4104c25f1edeec185e4762bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ua4Pw3nz.exe

Filesize
531KB

MD5
b44081a6d8862262eadb85b99edd191d

SHA1
b9a75cb03799ef253832e7bd8d5d7a39e381518a

SHA256
b84393b14cdd98c14f356c4700bfce284518848f14fc01ad3041d0c35c70e579

SHA512
1f407ad6883bb050846c0a05fa1641bc64203ddd334a0539f72972d5d700e639040f26b0737b910fa819931f60a2c65c6a528b7e4104c25f1edeec185e4762bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY2TF7Xv.exe

Filesize
366KB

MD5
c0030ed0d53a09cbbbd390132068ab9f

SHA1
e6b3f6c00f52934f54fbe34dc78fec895ddf376c

SHA256
d7d6263fe52bf5d930e19cb1eab15bbc6009e688c39f2c7bd4fe7a0bcdc3193f

SHA512
bb58bbac1dbf4e483af3f79841449468f46a82206468c787aa926311b2af6754adec6ed657a6ab8baf775598ce193f6f21cf9f519f7c2f0262a0484dc24d65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY2TF7Xv.exe

Filesize
366KB

MD5
c0030ed0d53a09cbbbd390132068ab9f

SHA1
e6b3f6c00f52934f54fbe34dc78fec895ddf376c

SHA256
d7d6263fe52bf5d930e19cb1eab15bbc6009e688c39f2c7bd4fe7a0bcdc3193f

SHA512
bb58bbac1dbf4e483af3f79841449468f46a82206468c787aa926311b2af6754adec6ed657a6ab8baf775598ce193f6f21cf9f519f7c2f0262a0484dc24d65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv29Ra8.exe

Filesize
285KB

MD5
49c8a0e159c84705b4ae930c7f763dcc

SHA1
3afc17a4dea9acf546130ab0620857f468b26e15

SHA256
1ea979277aebf34491748e34bc0984d828937ed803052a93a49d6a660ccd8740

SHA512
24311a6fe7eb29793831df290256cdeb5323b46ee8e41509ed77da9c0f5851beac2cb1a3ad5d51c488b042ec04a5b7bc688b6b85334079d60963e67a9cb428bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv29Ra8.exe

Filesize
285KB

MD5
49c8a0e159c84705b4ae930c7f763dcc

SHA1
3afc17a4dea9acf546130ab0620857f468b26e15

SHA256
1ea979277aebf34491748e34bc0984d828937ed803052a93a49d6a660ccd8740

SHA512
24311a6fe7eb29793831df290256cdeb5323b46ee8e41509ed77da9c0f5851beac2cb1a3ad5d51c488b042ec04a5b7bc688b6b85334079d60963e67a9cb428bd

Download Submit
memory/2748-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2748-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2748-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2748-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads