855c742abd80826b49dc1e2cc9240fbf5afcf29772ed4a5fae078555dd0f9b64

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rh0ES6EV.exe
Size

1.1MB
MD5

eda41d4aeb1a680f6f1115003347ac6e
SHA1

094f662631a06c3efc7f6407c996a6aac4d3af00
SHA256

855c742abd80826b49dc1e2cc9240fbf5afcf29772ed4a5fae078555dd0f9b64
SHA512

7a92569be4de4ccdc8a60dc6bc62df0b3764ce8a6eba737afa6fc3a381375b03f47dd3387ce06d758fdcfd89f425eef42476688c844ce41025690dba242fbee2
SSDEEP

24576:VyorWqFGyhgEQglGijLKo/IgH51OeNgiKETcnNSJwo20FORLJ9R7:wmWqFGwg6lGijLKo/hH51OYthTWi2

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3008	Gq9QY7qJ.exe
2424	VL6LF0kp.exe
1648	1vj44Ir9.exe

Loads dropped DLL 10 IoCs

pid	Process
2372	Rh0ES6EV.exe
3008	Gq9QY7qJ.exe
3008	Gq9QY7qJ.exe
2424	VL6LF0kp.exe
2424	VL6LF0kp.exe
1648	1vj44Ir9.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VL6LF0kp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Rh0ES6EV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gq9QY7qJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 1876	1648	1vj44Ir9.exe	32

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2740	1648	WerFault.exe	30
2976	1876	WerFault.exe	32

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 2372 wrote to memory of 3008	2372	Rh0ES6EV.exe	28
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 3008 wrote to memory of 2424	3008	Gq9QY7qJ.exe	29
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 2424 wrote to memory of 1648	2424	VL6LF0kp.exe	30
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 1876	1648	1vj44Ir9.exe	32
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1648 wrote to memory of 2740	1648	1vj44Ir9.exe	33
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34
PID 1876 wrote to memory of 2976	1876	AppLaunch.exe	34

C:\Users\Admin\AppData\Local\Temp\Rh0ES6EV.exe
"C:\Users\Admin\AppData\Local\Temp\Rh0ES6EV.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 268
        6⤵
        Program crash
        
        PID:2976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 284
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe

Filesize
735KB

MD5
ea4eaf3f6a8ddbf927e8e033b86ee229

SHA1
a8f63c5a3ad87e81d2794789ab9c8932e05d076a

SHA256
c9c5589f5e4159c9b3143db3ec8b92306819a91b6b130a29ab93769f168a605f

SHA512
add8d321c3eab4040c8736ce6407bd0f94bc7e4e9d3eb684101330bdda13d8e3b68aaa9df3fb3e97439c2f7f018067af45135245f8c08f77148703968dbf1520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe

Filesize
735KB

MD5
ea4eaf3f6a8ddbf927e8e033b86ee229

SHA1
a8f63c5a3ad87e81d2794789ab9c8932e05d076a

SHA256
c9c5589f5e4159c9b3143db3ec8b92306819a91b6b130a29ab93769f168a605f

SHA512
add8d321c3eab4040c8736ce6407bd0f94bc7e4e9d3eb684101330bdda13d8e3b68aaa9df3fb3e97439c2f7f018067af45135245f8c08f77148703968dbf1520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe

Filesize
563KB

MD5
33bc60a2c387a0f31bb3d2e7b118c3a8

SHA1
b6f27d4c91cb05738cec12e586f59abc06f391ac

SHA256
8eb1d5e0ac77bd4427d6831806d6e31ddfbd6ceb1ad588be72d48c6d1c273b87

SHA512
ab8c9815d330a4da047ff23aa802d0e9d220f2f1ffcd30d113da3a8b79bc38626f046796486948e9a55f0bb7c94e4e78fbd28a1b2c9d04ce077052d4b53437c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe

Filesize
563KB

MD5
33bc60a2c387a0f31bb3d2e7b118c3a8

SHA1
b6f27d4c91cb05738cec12e586f59abc06f391ac

SHA256
8eb1d5e0ac77bd4427d6831806d6e31ddfbd6ceb1ad588be72d48c6d1c273b87

SHA512
ab8c9815d330a4da047ff23aa802d0e9d220f2f1ffcd30d113da3a8b79bc38626f046796486948e9a55f0bb7c94e4e78fbd28a1b2c9d04ce077052d4b53437c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe

Filesize
735KB

MD5
ea4eaf3f6a8ddbf927e8e033b86ee229

SHA1
a8f63c5a3ad87e81d2794789ab9c8932e05d076a

SHA256
c9c5589f5e4159c9b3143db3ec8b92306819a91b6b130a29ab93769f168a605f

SHA512
add8d321c3eab4040c8736ce6407bd0f94bc7e4e9d3eb684101330bdda13d8e3b68aaa9df3fb3e97439c2f7f018067af45135245f8c08f77148703968dbf1520

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe

Filesize
735KB

MD5
ea4eaf3f6a8ddbf927e8e033b86ee229

SHA1
a8f63c5a3ad87e81d2794789ab9c8932e05d076a

SHA256
c9c5589f5e4159c9b3143db3ec8b92306819a91b6b130a29ab93769f168a605f

SHA512
add8d321c3eab4040c8736ce6407bd0f94bc7e4e9d3eb684101330bdda13d8e3b68aaa9df3fb3e97439c2f7f018067af45135245f8c08f77148703968dbf1520

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe

Filesize
563KB

MD5
33bc60a2c387a0f31bb3d2e7b118c3a8

SHA1
b6f27d4c91cb05738cec12e586f59abc06f391ac

SHA256
8eb1d5e0ac77bd4427d6831806d6e31ddfbd6ceb1ad588be72d48c6d1c273b87

SHA512
ab8c9815d330a4da047ff23aa802d0e9d220f2f1ffcd30d113da3a8b79bc38626f046796486948e9a55f0bb7c94e4e78fbd28a1b2c9d04ce077052d4b53437c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe

Filesize
563KB

MD5
33bc60a2c387a0f31bb3d2e7b118c3a8

SHA1
b6f27d4c91cb05738cec12e586f59abc06f391ac

SHA256
8eb1d5e0ac77bd4427d6831806d6e31ddfbd6ceb1ad588be72d48c6d1c273b87

SHA512
ab8c9815d330a4da047ff23aa802d0e9d220f2f1ffcd30d113da3a8b79bc38626f046796486948e9a55f0bb7c94e4e78fbd28a1b2c9d04ce077052d4b53437c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
memory/1876-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1876-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads