389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99

Analysis

max time kernel
72s
max time network
80s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
08/10/2023, 10:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe
Size

1.2MB
MD5

b7e8739078edddd432830d0c2b0021aa
SHA1

53c84ceb4a644fb84fe9dcfd936a95ef1c965062
SHA256

389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99
SHA512

61b678206197574b5ac142fcbfafc47b154aa5ed3508528bf2b9e71d41d28d9fbb0af2a46667f4c98a8271a2849e30b22f05a99a97bd8f0cc703c98f0ced3284
SSDEEP

24576:AybQmGfPfhOxi6SmP5jNOH6/HyZH3KQEYmwl8d7GyyT5j4JPcu3ZcyfQL4Gg9k:HbQbhOQ8wXoQEela7yT54bZDfQ0G

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1272	nE0xF1CC.exe
4456	AZ7Ep9Ff.exe
204	uI2tk3cX.exe
5104	pk3gg2Tj.exe
3260	1oS26iR1.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uI2tk3cX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pk3gg2Tj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nE0xF1CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	AZ7Ep9Ff.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 3816	3260	1oS26iR1.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3720	3260	WerFault.exe	74
2572	3816	WerFault.exe	77

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1272	1812	389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe	70
PID 1812 wrote to memory of 1272	1812	389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe	70
PID 1812 wrote to memory of 1272	1812	389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe	70
PID 1272 wrote to memory of 4456	1272	nE0xF1CC.exe	71
PID 1272 wrote to memory of 4456	1272	nE0xF1CC.exe	71
PID 1272 wrote to memory of 4456	1272	nE0xF1CC.exe	71
PID 4456 wrote to memory of 204	4456	AZ7Ep9Ff.exe	72
PID 4456 wrote to memory of 204	4456	AZ7Ep9Ff.exe	72
PID 4456 wrote to memory of 204	4456	AZ7Ep9Ff.exe	72
PID 204 wrote to memory of 5104	204	uI2tk3cX.exe	73
PID 204 wrote to memory of 5104	204	uI2tk3cX.exe	73
PID 204 wrote to memory of 5104	204	uI2tk3cX.exe	73
PID 5104 wrote to memory of 3260	5104	pk3gg2Tj.exe	74
PID 5104 wrote to memory of 3260	5104	pk3gg2Tj.exe	74
PID 5104 wrote to memory of 3260	5104	pk3gg2Tj.exe	74
PID 3260 wrote to memory of 3004	3260	1oS26iR1.exe	75
PID 3260 wrote to memory of 3004	3260	1oS26iR1.exe	75
PID 3260 wrote to memory of 3004	3260	1oS26iR1.exe	75
PID 3260 wrote to memory of 520	3260	1oS26iR1.exe	76
PID 3260 wrote to memory of 520	3260	1oS26iR1.exe	76
PID 3260 wrote to memory of 520	3260	1oS26iR1.exe	76
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77
PID 3260 wrote to memory of 3816	3260	1oS26iR1.exe	77

C:\Users\Admin\AppData\Local\Temp\389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe
"C:\Users\Admin\AppData\Local\Temp\389fd737992e5c0f7c955e3804a1fb286d3f4926692abcca29d482ce54ce4d99.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nE0xF1CC.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nE0xF1CC.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AZ7Ep9Ff.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AZ7Ep9Ff.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uI2tk3cX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uI2tk3cX.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:204
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pk3gg2Tj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pk3gg2Tj.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS26iR1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS26iR1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 568
        8⤵
        Program crash
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 604
        7⤵
        Program crash
        
        PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nE0xF1CC.exe

Filesize
1.1MB

MD5
3d56e974516b560a338542a3705848cf

SHA1
c654cbcc21cc012db563ceb3c1113ec1d2462255

SHA256
31cf2a14660ffe8ce4cdb29dc96f4bd7ee56df201ec6fec3b51b2ccf64716c6b

SHA512
7427c1cc0ee9e183be60f6e24fbec03ead01627f91b00052d5d816478dc569507e16da7c0f20964d2ec22e43d025dc3dee70858cf92478f0e136af2dfac905f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nE0xF1CC.exe

Filesize
1.1MB

MD5
3d56e974516b560a338542a3705848cf

SHA1
c654cbcc21cc012db563ceb3c1113ec1d2462255

SHA256
31cf2a14660ffe8ce4cdb29dc96f4bd7ee56df201ec6fec3b51b2ccf64716c6b

SHA512
7427c1cc0ee9e183be60f6e24fbec03ead01627f91b00052d5d816478dc569507e16da7c0f20964d2ec22e43d025dc3dee70858cf92478f0e136af2dfac905f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AZ7Ep9Ff.exe

Filesize
922KB

MD5
87fff911ad03d663e00f8716fb72f058

SHA1
0c6411cc5d9004aaa675aa312eadf4a14387fb3f

SHA256
317944fdde7567bba108f1f2d7d95d11a2718d4536f41e7fa3a838ebb775e2ab

SHA512
ce76ed21e3ed02f58fb1aeef54e0960f77977d9d57d6aaedfb98cbae2c27ab52c0c6754c29c605c617d698c69b813763b35aa0aa7c4a0e642b1a9f390da4d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AZ7Ep9Ff.exe

Filesize
922KB

MD5
87fff911ad03d663e00f8716fb72f058

SHA1
0c6411cc5d9004aaa675aa312eadf4a14387fb3f

SHA256
317944fdde7567bba108f1f2d7d95d11a2718d4536f41e7fa3a838ebb775e2ab

SHA512
ce76ed21e3ed02f58fb1aeef54e0960f77977d9d57d6aaedfb98cbae2c27ab52c0c6754c29c605c617d698c69b813763b35aa0aa7c4a0e642b1a9f390da4d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uI2tk3cX.exe

Filesize
639KB

MD5
d7853a961704fa69894811f5cf7a0868

SHA1
f1ec7c47bcca87f4c396febc27dc4a9a9bc7da0d

SHA256
f8cb440cb70c0658660b7a945f705978b10cc455bd5423d19d8cd4169b6eab5f

SHA512
f5288e8e2ca21b555cadb79463645a29c463861042f4e4602bd2cf0fe09d1333bdb2160e123c7c4f3d814398b9625c216bb95829383edce7a29f5e7de75a5554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uI2tk3cX.exe

Filesize
639KB

MD5
d7853a961704fa69894811f5cf7a0868

SHA1
f1ec7c47bcca87f4c396febc27dc4a9a9bc7da0d

SHA256
f8cb440cb70c0658660b7a945f705978b10cc455bd5423d19d8cd4169b6eab5f

SHA512
f5288e8e2ca21b555cadb79463645a29c463861042f4e4602bd2cf0fe09d1333bdb2160e123c7c4f3d814398b9625c216bb95829383edce7a29f5e7de75a5554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pk3gg2Tj.exe

Filesize
443KB

MD5
36e33a341e4ac6dfdd2b5ae30811ea73

SHA1
a1398045f4fe4520962afc214b662cecd2e33c70

SHA256
72854b1f6c70ffa8b0e36280d482497fa8d5b272e1247bad7e501fffd64965d7

SHA512
97c2e5c22e4a9f1ee60140aa9b853c6e068c704517461e14666303e003709f90a9fa460c5f510c87b52f1e4fa9958b80d9ddc2ee89a10193b649548a5fd66c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pk3gg2Tj.exe

Filesize
443KB

MD5
36e33a341e4ac6dfdd2b5ae30811ea73

SHA1
a1398045f4fe4520962afc214b662cecd2e33c70

SHA256
72854b1f6c70ffa8b0e36280d482497fa8d5b272e1247bad7e501fffd64965d7

SHA512
97c2e5c22e4a9f1ee60140aa9b853c6e068c704517461e14666303e003709f90a9fa460c5f510c87b52f1e4fa9958b80d9ddc2ee89a10193b649548a5fd66c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS26iR1.exe

Filesize
423KB

MD5
41cfadeb8e589a6308f37d6dee356df5

SHA1
a9b4a52545d575745809ecb7be9cac642b7b3845

SHA256
243c87e71c68011e9ace05159823be9956e9e6f9a5a3fab0fd2ea447585d6bd3

SHA512
09a171d03425c4f7d17f374fc216af32a6a860167f9abd462b68cda97498cc904d3a6b741a4d1651e6a08f57e18d8af2308458e69c01cb6ebc7d2667102568dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS26iR1.exe

Filesize
423KB

MD5
41cfadeb8e589a6308f37d6dee356df5

SHA1
a9b4a52545d575745809ecb7be9cac642b7b3845

SHA256
243c87e71c68011e9ace05159823be9956e9e6f9a5a3fab0fd2ea447585d6bd3

SHA512
09a171d03425c4f7d17f374fc216af32a6a860167f9abd462b68cda97498cc904d3a6b741a4d1651e6a08f57e18d8af2308458e69c01cb6ebc7d2667102568dd

Download Submit
memory/3816-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads