2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348

Analysis

max time kernel
126s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe
Size

1.1MB
MD5

291d88e0e0119cfc541acbe76ea5472a
SHA1

7afa7f305d695475ed582cc34eb0f05052f1e785
SHA256

2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348
SHA512

c58de961ba22c9b29b82e80b72ee42bd2bf5dbe00927b0ffb1a6c4928d827069b6b50e009a1fa97ae30bad4553ed4d475507f73f99b00c26fb660a7031260180
SSDEEP

24576:GyCGYUJAIpE5ENm6A0GW/gDpyGNsU2Nq2JK2WGZ2:VsUjeymPTW/gDp7NUZ0dG

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4940	sK1Ft9td.exe
768	zx8vM6KV.exe
4948	ku8xI5TT.exe
4856	cC3yi5Ov.exe
4580	1hw18PA5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cC3yi5Ov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sK1Ft9td.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zx8vM6KV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ku8xI5TT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4580 set thread context of 1540	4580	1hw18PA5.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4412	4580	WerFault.exe	74
2696	1540	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4940	3588	2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe	70
PID 3588 wrote to memory of 4940	3588	2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe	70
PID 3588 wrote to memory of 4940	3588	2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe	70
PID 4940 wrote to memory of 768	4940	sK1Ft9td.exe	71
PID 4940 wrote to memory of 768	4940	sK1Ft9td.exe	71
PID 4940 wrote to memory of 768	4940	sK1Ft9td.exe	71
PID 768 wrote to memory of 4948	768	zx8vM6KV.exe	72
PID 768 wrote to memory of 4948	768	zx8vM6KV.exe	72
PID 768 wrote to memory of 4948	768	zx8vM6KV.exe	72
PID 4948 wrote to memory of 4856	4948	ku8xI5TT.exe	73
PID 4948 wrote to memory of 4856	4948	ku8xI5TT.exe	73
PID 4948 wrote to memory of 4856	4948	ku8xI5TT.exe	73
PID 4856 wrote to memory of 4580	4856	cC3yi5Ov.exe	74
PID 4856 wrote to memory of 4580	4856	cC3yi5Ov.exe	74
PID 4856 wrote to memory of 4580	4856	cC3yi5Ov.exe	74
PID 4580 wrote to memory of 1088	4580	1hw18PA5.exe	76
PID 4580 wrote to memory of 1088	4580	1hw18PA5.exe	76
PID 4580 wrote to memory of 1088	4580	1hw18PA5.exe	76
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77
PID 4580 wrote to memory of 1540	4580	1hw18PA5.exe	77

C:\Users\Admin\AppData\Local\Temp\2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe
"C:\Users\Admin\AppData\Local\Temp\2e244bc261ad6660e8a29deba2b0fd10f8fbbb3216ec998f5b1393a951d4b348.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK1Ft9td.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK1Ft9td.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx8vM6KV.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx8vM6KV.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ku8xI5TT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ku8xI5TT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cC3yi5Ov.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cC3yi5Ov.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hw18PA5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hw18PA5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 568
        8⤵
        Program crash
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 576
        7⤵
        Program crash
        
        PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK1Ft9td.exe

Filesize
961KB

MD5
5260b1642a109aad70d41cb8fd9e6953

SHA1
cf54ea2c412b7d027493d8afe82bf4e4c18e5ce6

SHA256
c48d05615a235ff374dd32745ff908c567947c985b21f2e74ea999c4b97d5ec1

SHA512
21e7ad6c50eadc618d4daa39169be8dffcaf3cb9825f0460bcbb2e1f9df2960401ad31bd875cee312090c429408288e0d49732e60955745690c13b51848c3707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK1Ft9td.exe

Filesize
961KB

MD5
5260b1642a109aad70d41cb8fd9e6953

SHA1
cf54ea2c412b7d027493d8afe82bf4e4c18e5ce6

SHA256
c48d05615a235ff374dd32745ff908c567947c985b21f2e74ea999c4b97d5ec1

SHA512
21e7ad6c50eadc618d4daa39169be8dffcaf3cb9825f0460bcbb2e1f9df2960401ad31bd875cee312090c429408288e0d49732e60955745690c13b51848c3707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx8vM6KV.exe

Filesize
778KB

MD5
c1b801c1c3fcc2239d7b40e5b76d8fa0

SHA1
e0514723fb92c8dfbf50aa5527c5d8314c07e4a9

SHA256
a40c69e445319d33905c3bec87e5a445c7be530f17e1f82d750a5c8660e774a8

SHA512
e43a4e51477efded77374a69cda8b3055dafd35752524919bea9b4e87920fdd776135025594f5f46a88956a155328f61c59a3cba6015205f4b04ea1579931e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx8vM6KV.exe

Filesize
778KB

MD5
c1b801c1c3fcc2239d7b40e5b76d8fa0

SHA1
e0514723fb92c8dfbf50aa5527c5d8314c07e4a9

SHA256
a40c69e445319d33905c3bec87e5a445c7be530f17e1f82d750a5c8660e774a8

SHA512
e43a4e51477efded77374a69cda8b3055dafd35752524919bea9b4e87920fdd776135025594f5f46a88956a155328f61c59a3cba6015205f4b04ea1579931e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ku8xI5TT.exe

Filesize
531KB

MD5
f4ee8187644839a523a1fe2600298182

SHA1
92e24ba34074a3156fc9e2edd9e4440103064584

SHA256
dfd9be0a9bd31ebb80fcc621b7fac3826fe61bf4bd2f3b8e56c0de28e561bf7a

SHA512
f458a720584809fee50583c399622cf008c89e6e727b52898ecc7e9334e0907bf01760390b28c000e394d6a890c0e08870e33fb39fa8b314848125875ab69019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ku8xI5TT.exe

Filesize
531KB

MD5
f4ee8187644839a523a1fe2600298182

SHA1
92e24ba34074a3156fc9e2edd9e4440103064584

SHA256
dfd9be0a9bd31ebb80fcc621b7fac3826fe61bf4bd2f3b8e56c0de28e561bf7a

SHA512
f458a720584809fee50583c399622cf008c89e6e727b52898ecc7e9334e0907bf01760390b28c000e394d6a890c0e08870e33fb39fa8b314848125875ab69019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cC3yi5Ov.exe

Filesize
365KB

MD5
a8874c4d339ba37a7be01ed36272445f

SHA1
acc4feb70acc9b02fe4c6e1f12f66c51c4818b60

SHA256
083355c6871e34be7c11ac0f87821a67c200ae521c0783c345c36122cfdcc1ca

SHA512
3a374b0f17e076541a54df448a24c0ba698fea7808854de07a4ad65540d3e0e53619d21b4388f8649925e87dfcc2d2ab560014419f6765975664f4f5129a62ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cC3yi5Ov.exe

Filesize
365KB

MD5
a8874c4d339ba37a7be01ed36272445f

SHA1
acc4feb70acc9b02fe4c6e1f12f66c51c4818b60

SHA256
083355c6871e34be7c11ac0f87821a67c200ae521c0783c345c36122cfdcc1ca

SHA512
3a374b0f17e076541a54df448a24c0ba698fea7808854de07a4ad65540d3e0e53619d21b4388f8649925e87dfcc2d2ab560014419f6765975664f4f5129a62ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hw18PA5.exe

Filesize
285KB

MD5
03da199a5cf1c6292dd43bc3aa3e72d7

SHA1
4526ddeabe9f2fb87fcac28f2d35aabb17d788b5

SHA256
73e1cd6f7915e9020acd55b6d5d3cc140f0dd7d3692790ce2636f4e38e5e6064

SHA512
eb7c9a2470386b0b3b334c0b0aa831d95d418d586454e90706f7d9a0530bb2c080d515b0ef1f27b581d28189931ce519027934b28eb47eae16b22554bc2bef87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hw18PA5.exe

Filesize
285KB

MD5
03da199a5cf1c6292dd43bc3aa3e72d7

SHA1
4526ddeabe9f2fb87fcac28f2d35aabb17d788b5

SHA256
73e1cd6f7915e9020acd55b6d5d3cc140f0dd7d3692790ce2636f4e38e5e6064

SHA512
eb7c9a2470386b0b3b334c0b0aa831d95d418d586454e90706f7d9a0530bb2c080d515b0ef1f27b581d28189931ce519027934b28eb47eae16b22554bc2bef87

Download Submit
memory/1540-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1540-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1540-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1540-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads