8a6712606c31aa2d536286cf3ef923c1a4eaf8b36df669fa6a5ec5be0b502e5b

General

Target

gt1tO1kU.exe
Size

735KB
MD5

513bdeef34cbcdd2a2dffca2613004e3
SHA1

9243b1bbccf4e007017372dd229352859586fa25
SHA256

8a6712606c31aa2d536286cf3ef923c1a4eaf8b36df669fa6a5ec5be0b502e5b
SHA512

8a5f77891d723b6b63ecb9aafcb85a8e9a6589eefe29a5bef95ab7ffc48620ffdebd01bea6695458d1b5ba66a5395151cc7582dd6cb8c4babb36d1ec10826d68
SSDEEP

12288:CMray908K+mrdUiMudnCD+82poWFHbnZueBSBf9tnD0lhiBesoyt2I5c2FnYjRT:cy7MrdUi5YEnJgv9wSToyt922FYVT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2808	oW1Si6gJ.exe
4884	1up86ta9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	gt1tO1kU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oW1Si6gJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 956	4884	1up86ta9.exe	73

Program crash 2 IoCs

pid	pid_target	Process	procid_target
208	4884	WerFault.exe	70
4940	956	WerFault.exe	73

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2808	4136	gt1tO1kU.exe	69
PID 4136 wrote to memory of 2808	4136	gt1tO1kU.exe	69
PID 4136 wrote to memory of 2808	4136	gt1tO1kU.exe	69
PID 2808 wrote to memory of 4884	2808	oW1Si6gJ.exe	70
PID 2808 wrote to memory of 4884	2808	oW1Si6gJ.exe	70
PID 2808 wrote to memory of 4884	2808	oW1Si6gJ.exe	70
PID 4884 wrote to memory of 4240	4884	1up86ta9.exe	72
PID 4884 wrote to memory of 4240	4884	1up86ta9.exe	72
PID 4884 wrote to memory of 4240	4884	1up86ta9.exe	72
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73
PID 4884 wrote to memory of 956	4884	1up86ta9.exe	73

C:\Users\Admin\AppData\Local\Temp\gt1tO1kU.exe
"C:\Users\Admin\AppData\Local\Temp\gt1tO1kU.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW1Si6gJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW1Si6gJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1up86ta9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1up86ta9.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4240
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 568
        5⤵
        Program crash
        
        PID:4940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 596
      4⤵
      Program crash
      PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW1Si6gJ.exe

Filesize
562KB

MD5
9d85aef4e8e537d704685861d77632c5

SHA1
12dff3811d1c391126f9d4264d8a50c57aecc8b2

SHA256
e57dd1874fee3f21d203d85d5049c631e86aa5b96e795f4124b1f77d3c024284

SHA512
5465a52c53d038a15d4c968ed614316fb908fbfc6b8134e664bcacf172022b7e4a7343f8e1a9f0e1936df9a5ae29c6b34b943edea77b863bc6fcd83408a83e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oW1Si6gJ.exe

Filesize
562KB

MD5
9d85aef4e8e537d704685861d77632c5

SHA1
12dff3811d1c391126f9d4264d8a50c57aecc8b2

SHA256
e57dd1874fee3f21d203d85d5049c631e86aa5b96e795f4124b1f77d3c024284

SHA512
5465a52c53d038a15d4c968ed614316fb908fbfc6b8134e664bcacf172022b7e4a7343f8e1a9f0e1936df9a5ae29c6b34b943edea77b863bc6fcd83408a83e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1up86ta9.exe

Filesize
1.4MB

MD5
9b45c734f07328a3ac53e6551a95e81f

SHA1
6b29d75bd0fadc0f66ac5d67226eb9c5c1b231b0

SHA256
3ef336a57f333d3a60a1b61a44fb13d82a0f71705190f703836a9ce243c3eeeb

SHA512
817fe5e892875129897779586293c71ac01b74682458daa76b9db701b91b1a5db6b04bb79a7ca26c216c5042a17e4e6c582d5a26cdab0eb37e200b791e7574b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1up86ta9.exe

Filesize
1.4MB

MD5
9b45c734f07328a3ac53e6551a95e81f

SHA1
6b29d75bd0fadc0f66ac5d67226eb9c5c1b231b0

SHA256
3ef336a57f333d3a60a1b61a44fb13d82a0f71705190f703836a9ce243c3eeeb

SHA512
817fe5e892875129897779586293c71ac01b74682458daa76b9db701b91b1a5db6b04bb79a7ca26c216c5042a17e4e6c582d5a26cdab0eb37e200b791e7574b6

Download Submit
memory/956-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/956-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/956-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/956-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads