d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf

Analysis

max time kernel
128s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
03/10/2023, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe
Size

1.1MB
MD5

f82128954c77f92646dd8f4ff99c6bb4
SHA1

91e72332ba474f1b5bfb11337b6eef666d6b0521
SHA256

d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf
SHA512

cfaa8561b2e7eb29985718bba0b97b24439345633bee9a98e3cb6df32142317eba6d810590ff8c9165510204627ead9b36345d9440a5de4c575a75f6c558c988
SSDEEP

24576:ryG6Gjmg7UZDMjjJzyY7xGiY2mM8Z7QgNftdzD57:epcaYjJX7IZxH/5

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2224	Jp6ov7Ks.exe
1952	QC3ML5WT.exe
2448	MM6jC4Rt.exe
1108	jd0wd2eb.exe
664	1Lv06Fd0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jd0wd2eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jp6ov7Ks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	QC3ML5WT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	MM6jC4Rt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 3792	664	1Lv06Fd0.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4244	664	WerFault.exe	73
3276	3792	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2224	4136	d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe	69
PID 4136 wrote to memory of 2224	4136	d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe	69
PID 4136 wrote to memory of 2224	4136	d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe	69
PID 2224 wrote to memory of 1952	2224	Jp6ov7Ks.exe	70
PID 2224 wrote to memory of 1952	2224	Jp6ov7Ks.exe	70
PID 2224 wrote to memory of 1952	2224	Jp6ov7Ks.exe	70
PID 1952 wrote to memory of 2448	1952	QC3ML5WT.exe	71
PID 1952 wrote to memory of 2448	1952	QC3ML5WT.exe	71
PID 1952 wrote to memory of 2448	1952	QC3ML5WT.exe	71
PID 2448 wrote to memory of 1108	2448	MM6jC4Rt.exe	72
PID 2448 wrote to memory of 1108	2448	MM6jC4Rt.exe	72
PID 2448 wrote to memory of 1108	2448	MM6jC4Rt.exe	72
PID 1108 wrote to memory of 664	1108	jd0wd2eb.exe	73
PID 1108 wrote to memory of 664	1108	jd0wd2eb.exe	73
PID 1108 wrote to memory of 664	1108	jd0wd2eb.exe	73
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75
PID 664 wrote to memory of 3792	664	1Lv06Fd0.exe	75

C:\Users\Admin\AppData\Local\Temp\d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe
"C:\Users\Admin\AppData\Local\Temp\d45490551ceb2c224bcd8cb3cb67d98fff4261b6e2d72cc57ee9b0a3f0301bdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jp6ov7Ks.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jp6ov7Ks.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QC3ML5WT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QC3ML5WT.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM6jC4Rt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM6jC4Rt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jd0wd2eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jd0wd2eb.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lv06Fd0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lv06Fd0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 568
        8⤵
        Program crash
        
        PID:3276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 144
        7⤵
        Program crash
        
        PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jp6ov7Ks.exe

Filesize
960KB

MD5
0c6eb04588143f4c42816eef8a849f48

SHA1
e2e2ef1aea616f0c7085c92e0bd65e537d1329eb

SHA256
072be158dc772aaa221f995b89d0d8007423dfc604120eb0990f5571e987ed45

SHA512
b9e0190493d987313e54faab846fcb44269af23afa48e0c333e4700632d3db269129c074a3127d8641be1e1c513f4d2104fc340881957a97ca1591fbc7866974

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jp6ov7Ks.exe

Filesize
960KB

MD5
0c6eb04588143f4c42816eef8a849f48

SHA1
e2e2ef1aea616f0c7085c92e0bd65e537d1329eb

SHA256
072be158dc772aaa221f995b89d0d8007423dfc604120eb0990f5571e987ed45

SHA512
b9e0190493d987313e54faab846fcb44269af23afa48e0c333e4700632d3db269129c074a3127d8641be1e1c513f4d2104fc340881957a97ca1591fbc7866974

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QC3ML5WT.exe

Filesize
778KB

MD5
8890cfc400665524e9d998af2ef2714f

SHA1
f9509c090185ad31d5653ec4da89247634a02bad

SHA256
d0af2e9021ee8d9eebd1b8de83dc526b5ecf8132183711040d9cb0047750e39e

SHA512
12bb36e0df0888d9d043ffd04d47c3bf2456f53ee3b1fb67e0fd6568621f8975a62e7a784aa6fba3bc8844ba30bece84c722ff82e70165371914944ed230afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QC3ML5WT.exe

Filesize
778KB

MD5
8890cfc400665524e9d998af2ef2714f

SHA1
f9509c090185ad31d5653ec4da89247634a02bad

SHA256
d0af2e9021ee8d9eebd1b8de83dc526b5ecf8132183711040d9cb0047750e39e

SHA512
12bb36e0df0888d9d043ffd04d47c3bf2456f53ee3b1fb67e0fd6568621f8975a62e7a784aa6fba3bc8844ba30bece84c722ff82e70165371914944ed230afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM6jC4Rt.exe

Filesize
532KB

MD5
3360cfdcd46c04d421f1298226d58a53

SHA1
387d24326ef0198901cbfa60f7e32f9dfa0831a4

SHA256
786c7e5c329669d77d26bdf25320343af48231e217295324c7b1da990effeb00

SHA512
0d97b902a474eadb334f12f4a16c43f29e9da4c878cdb73bbcd86b99d9346ce24db98d44aff76b436d9a97e5788b715d377ca547c733b34825043d5c334c5f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MM6jC4Rt.exe

Filesize
532KB

MD5
3360cfdcd46c04d421f1298226d58a53

SHA1
387d24326ef0198901cbfa60f7e32f9dfa0831a4

SHA256
786c7e5c329669d77d26bdf25320343af48231e217295324c7b1da990effeb00

SHA512
0d97b902a474eadb334f12f4a16c43f29e9da4c878cdb73bbcd86b99d9346ce24db98d44aff76b436d9a97e5788b715d377ca547c733b34825043d5c334c5f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jd0wd2eb.exe

Filesize
366KB

MD5
06bb4f021e01f2d97b025a059e3acfe0

SHA1
cce7fec107e89c1fde35d7237370b1c960749f13

SHA256
d8b8e2d85972969b18637c16a8e6c27d9f61381e507b1d096a1f5f72bd9aa499

SHA512
9e0653df4e18f0feb245f061f7952864ac8e7295f51a3a5e4351a61413d305befba1f9f228cb062861b28a7cdaf222470eecb730cb99e1c11f6468a089d056d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jd0wd2eb.exe

Filesize
366KB

MD5
06bb4f021e01f2d97b025a059e3acfe0

SHA1
cce7fec107e89c1fde35d7237370b1c960749f13

SHA256
d8b8e2d85972969b18637c16a8e6c27d9f61381e507b1d096a1f5f72bd9aa499

SHA512
9e0653df4e18f0feb245f061f7952864ac8e7295f51a3a5e4351a61413d305befba1f9f228cb062861b28a7cdaf222470eecb730cb99e1c11f6468a089d056d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lv06Fd0.exe

Filesize
285KB

MD5
42d55a80efef8c8f44b7ffd5ebdf61b4

SHA1
21b2a7a9638d0f29186915ce591ef1ba5aee8763

SHA256
755d86400809ff7ee9590da37394f951cb9d8a6c4a39def908e72e9fa09d1040

SHA512
cbcf9c1fa8a2d2fd7c31829b3f7c4ac9a56e2e5e98704ae9cde5bb0be8970a51a23e6c482841c921c50050ffc14d4c395cc8fd3b6a59dc33e238acf8b56ea46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lv06Fd0.exe

Filesize
285KB

MD5
42d55a80efef8c8f44b7ffd5ebdf61b4

SHA1
21b2a7a9638d0f29186915ce591ef1ba5aee8763

SHA256
755d86400809ff7ee9590da37394f951cb9d8a6c4a39def908e72e9fa09d1040

SHA512
cbcf9c1fa8a2d2fd7c31829b3f7c4ac9a56e2e5e98704ae9cde5bb0be8970a51a23e6c482841c921c50050ffc14d4c395cc8fd3b6a59dc33e238acf8b56ea46e

Download Submit
memory/3792-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3792-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3792-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3792-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads