8ca3b29730686ea1d77500a473bbaaa14e7d8c12bdef10beae7a57de9cd18a54

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x9228246.exe
Size

548KB
MD5

7839fedb6f3f1c825ec1555c77be70e7
SHA1

f0a0be570508ff708b8d7eaec08ae2b9d2926b7d
SHA256

8ca3b29730686ea1d77500a473bbaaa14e7d8c12bdef10beae7a57de9cd18a54
SHA512

a7e44339079576ad803a950ee5b0c9f18ab517284a8c3cd5985b32cc254c2cb7a5393cd3597362ff78396876c59a9f4cbb067358bbf17d319cde3a7076e2cee4
SSDEEP

12288:DMrXy90D7O0pmLwPPFDU2V4Y04yttO7NKsa:UyUjpmEFDUhY04yqNKsa

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2336	x5534117.exe
2732	g3154158.exe

Loads dropped DLL 9 IoCs

pid	Process
2492	x9228246.exe
2336	x5534117.exe
2336	x5534117.exe
2336	x5534117.exe
2732	g3154158.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5534117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x9228246.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 2896	2732	g3154158.exe	31

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2556	2732	WerFault.exe	29
2548	2896	WerFault.exe	31

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2492 wrote to memory of 2336	2492	x9228246.exe	28
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2336 wrote to memory of 2732	2336	x5534117.exe	29
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2896	2732	g3154158.exe	31
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2732 wrote to memory of 2556	2732	g3154158.exe	32
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33
PID 2896 wrote to memory of 2548	2896	AppLaunch.exe	33

C:\Users\Admin\AppData\Local\Temp\x9228246.exe
"C:\Users\Admin\AppData\Local\Temp\x9228246.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 268
        5⤵
        Program crash
        
        PID:2548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe

Filesize
382KB

MD5
6ea3e070fb25f1f1eca50e6450003790

SHA1
3b4f8efc69da535abb35053d1423178fec8c6898

SHA256
7fb3f391db5ed03e48c9dcf73ade77b54526f3dfac791540727397e37bcaa0d5

SHA512
25c9785620f4fd4aba95c3783f541e6b6146397a8471671c1c82ce9ba804a64e918d4d5021126f50c44bbd02e499986b150993110b72c82a207bbe6b5fa55395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe

Filesize
382KB

MD5
6ea3e070fb25f1f1eca50e6450003790

SHA1
3b4f8efc69da535abb35053d1423178fec8c6898

SHA256
7fb3f391db5ed03e48c9dcf73ade77b54526f3dfac791540727397e37bcaa0d5

SHA512
25c9785620f4fd4aba95c3783f541e6b6146397a8471671c1c82ce9ba804a64e918d4d5021126f50c44bbd02e499986b150993110b72c82a207bbe6b5fa55395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe

Filesize
382KB

MD5
6ea3e070fb25f1f1eca50e6450003790

SHA1
3b4f8efc69da535abb35053d1423178fec8c6898

SHA256
7fb3f391db5ed03e48c9dcf73ade77b54526f3dfac791540727397e37bcaa0d5

SHA512
25c9785620f4fd4aba95c3783f541e6b6146397a8471671c1c82ce9ba804a64e918d4d5021126f50c44bbd02e499986b150993110b72c82a207bbe6b5fa55395

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe

Filesize
382KB

MD5
6ea3e070fb25f1f1eca50e6450003790

SHA1
3b4f8efc69da535abb35053d1423178fec8c6898

SHA256
7fb3f391db5ed03e48c9dcf73ade77b54526f3dfac791540727397e37bcaa0d5

SHA512
25c9785620f4fd4aba95c3783f541e6b6146397a8471671c1c82ce9ba804a64e918d4d5021126f50c44bbd02e499986b150993110b72c82a207bbe6b5fa55395

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
memory/2896-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads