8ca3b29730686ea1d77500a473bbaaa14e7d8c12bdef10beae7a57de9cd18a54

General

Target

x9228246.exe
Size

548KB
MD5

7839fedb6f3f1c825ec1555c77be70e7
SHA1

f0a0be570508ff708b8d7eaec08ae2b9d2926b7d
SHA256

8ca3b29730686ea1d77500a473bbaaa14e7d8c12bdef10beae7a57de9cd18a54
SHA512

a7e44339079576ad803a950ee5b0c9f18ab517284a8c3cd5985b32cc254c2cb7a5393cd3597362ff78396876c59a9f4cbb067358bbf17d319cde3a7076e2cee4
SSDEEP

12288:DMrXy90D7O0pmLwPPFDU2V4Y04yttO7NKsa:UyUjpmEFDUhY04yqNKsa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1836	x5534117.exe
1800	g3154158.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x9228246.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5534117.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 4740	1800	g3154158.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4848	1800	WerFault.exe	71
4120	4740	WerFault.exe	74

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1836	2544	x9228246.exe	70
PID 2544 wrote to memory of 1836	2544	x9228246.exe	70
PID 2544 wrote to memory of 1836	2544	x9228246.exe	70
PID 1836 wrote to memory of 1800	1836	x5534117.exe	71
PID 1836 wrote to memory of 1800	1836	x5534117.exe	71
PID 1836 wrote to memory of 1800	1836	x5534117.exe	71
PID 1800 wrote to memory of 712	1800	g3154158.exe	73
PID 1800 wrote to memory of 712	1800	g3154158.exe	73
PID 1800 wrote to memory of 712	1800	g3154158.exe	73
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74
PID 1800 wrote to memory of 4740	1800	g3154158.exe	74

C:\Users\Admin\AppData\Local\Temp\x9228246.exe
"C:\Users\Admin\AppData\Local\Temp\x9228246.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 568
        5⤵
        Program crash
        
        PID:4120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 596
      4⤵
      Program crash
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe

Filesize
382KB

MD5
6ea3e070fb25f1f1eca50e6450003790

SHA1
3b4f8efc69da535abb35053d1423178fec8c6898

SHA256
7fb3f391db5ed03e48c9dcf73ade77b54526f3dfac791540727397e37bcaa0d5

SHA512
25c9785620f4fd4aba95c3783f541e6b6146397a8471671c1c82ce9ba804a64e918d4d5021126f50c44bbd02e499986b150993110b72c82a207bbe6b5fa55395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5534117.exe

Filesize
382KB

MD5
6ea3e070fb25f1f1eca50e6450003790

SHA1
3b4f8efc69da535abb35053d1423178fec8c6898

SHA256
7fb3f391db5ed03e48c9dcf73ade77b54526f3dfac791540727397e37bcaa0d5

SHA512
25c9785620f4fd4aba95c3783f541e6b6146397a8471671c1c82ce9ba804a64e918d4d5021126f50c44bbd02e499986b150993110b72c82a207bbe6b5fa55395

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3154158.exe

Filesize
304KB

MD5
0adeeced78600d6c9e4d3e5eda55d43a

SHA1
d18ffe4902ec97e7e47629a1d63edadddafc254a

SHA256
14821f7a0e8c0d7d87f74326c7b3c2f2ecfb846eae2fee8cdbf31afbb4218de4

SHA512
731ec1e7c00c7ebd72019eb41d5f708afca301302026f628b71f623a5a3fa67e11354b9ebd47a5b938727fe40b0c63bcba563775ce7b2a3be9f2d88be46d92d9

Download Submit
memory/4740-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4740-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4740-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4740-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads