fec46ed603f2bcca18ba46485cb2a5d5175a0e7a69f217bf0549062fa05c1bbf

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x4014442.exe
Size

556KB
MD5

ee2d5ab0c8e4cb51075308649b521df7
SHA1

5720be513f8b944464c80a8486abd6a0971b8fe1
SHA256

fec46ed603f2bcca18ba46485cb2a5d5175a0e7a69f217bf0549062fa05c1bbf
SHA512

486e20f37b0237428b5d25c82c2075a48c51d7be34b78641a71cb0b5728e792b50d478cb23dba34d5c88e7b05697c344fa2cf1e1a7095f01d9bb14f2c066b0c6
SSDEEP

12288:MMr4y908GWVyz7KH/UsQzdU3kSP8SErqI9Uue7PoEf2:MyVGcUsQzdU3kkErqI9ze7Re

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2732	x8240295.exe
3044	g0338489.exe

Loads dropped DLL 9 IoCs

pid	Process
2080	x4014442.exe
2732	x8240295.exe
2732	x8240295.exe
2732	x8240295.exe
3044	g0338489.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x4014442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8240295.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2788	3044	g0338489.exe	31

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2672	3044	WerFault.exe	29
2288	2788	WerFault.exe	31

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2080 wrote to memory of 2732	2080	x4014442.exe	28
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 2732 wrote to memory of 3044	2732	x8240295.exe	29
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2788	3044	g0338489.exe	31
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33
PID 3044 wrote to memory of 2672	3044	g0338489.exe	32
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33
PID 2788 wrote to memory of 2288	2788	AppLaunch.exe	33

C:\Users\Admin\AppData\Local\Temp\x4014442.exe
"C:\Users\Admin\AppData\Local\Temp\x4014442.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8240295.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8240295.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 268
        5⤵
        Program crash
        
        PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 276
      4⤵
      Loads dropped DLL
      Program crash
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8240295.exe

Filesize
390KB

MD5
2edfec9b922c03e66dc843caf2fa2bfa

SHA1
c64d441e7514024e3b78c7811f4807dc3ee1ef2a

SHA256
8784cc7467954f84aefde0b4fdae2235dd6d5ce255a9a355dcaeb25abf80ff07

SHA512
68ccd2d852b18e61c353c7bd974dfbea4c56143fa1c044b291c718b5886e4b67270514f77e0c06ae78e7101f377828a256f42cee92506b126568deb083610cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8240295.exe

Filesize
390KB

MD5
2edfec9b922c03e66dc843caf2fa2bfa

SHA1
c64d441e7514024e3b78c7811f4807dc3ee1ef2a

SHA256
8784cc7467954f84aefde0b4fdae2235dd6d5ce255a9a355dcaeb25abf80ff07

SHA512
68ccd2d852b18e61c353c7bd974dfbea4c56143fa1c044b291c718b5886e4b67270514f77e0c06ae78e7101f377828a256f42cee92506b126568deb083610cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8240295.exe

Filesize
390KB

MD5
2edfec9b922c03e66dc843caf2fa2bfa

SHA1
c64d441e7514024e3b78c7811f4807dc3ee1ef2a

SHA256
8784cc7467954f84aefde0b4fdae2235dd6d5ce255a9a355dcaeb25abf80ff07

SHA512
68ccd2d852b18e61c353c7bd974dfbea4c56143fa1c044b291c718b5886e4b67270514f77e0c06ae78e7101f377828a256f42cee92506b126568deb083610cea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8240295.exe

Filesize
390KB

MD5
2edfec9b922c03e66dc843caf2fa2bfa

SHA1
c64d441e7514024e3b78c7811f4807dc3ee1ef2a

SHA256
8784cc7467954f84aefde0b4fdae2235dd6d5ce255a9a355dcaeb25abf80ff07

SHA512
68ccd2d852b18e61c353c7bd974dfbea4c56143fa1c044b291c718b5886e4b67270514f77e0c06ae78e7101f377828a256f42cee92506b126568deb083610cea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0338489.exe

Filesize
356KB

MD5
f706f76ef00ab183d88d4a073037c016

SHA1
acb5f024d70cc21913b34f7634c70fd6c19b584c

SHA256
06b54283cd5e893b5a80456aecd9e084a6e71b40e2fef93a3c100d72caa20461

SHA512
bade164fb84ddafa5415e78c3cd213e25989c01a337e05c9c0acd1c0a61761f9cb38d6844fd8a5b65d8416f9cc76f9824a67aba47048cabf3e3da90a1de02c16

Download Submit
memory/2788-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads