d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39

Analysis

max time kernel
127s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
08-10-2023 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe
Size

1.2MB
MD5

c7d9456fe34d62b842da93878d9940b6
SHA1

8543049474bc15ed211d4266c0b2bb43a03e9280
SHA256

d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39
SHA512

44ffe5a88439c19522fe208b7d402f187e61375ec5dd65cb4bf88686f9583179b4573e8b81527a00b94eedbe064ebd8c144f8c121a6e49bb0db7435127636703
SSDEEP

24576:NyDpbFmjcDnXCu+P/tSxxQWGP5sApLw0/ePDbo/rT4l2HBs/BRNPp6ln:oNEjMvw0x/9ApTG/o/rw2HivZp

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4604	MX3zZ9Ei.exe
4836	bD6sJ1QQ.exe
4904	sn2dk6MS.exe
2632	xW5Hk1Sp.exe
2572	1js90XY7.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MX3zZ9Ei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bD6sJ1QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sn2dk6MS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	xW5Hk1Sp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 1492	2572	1js90XY7.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2200	2572	WerFault.exe	75
2996	1492	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4604	2204	d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe	71
PID 2204 wrote to memory of 4604	2204	d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe	71
PID 2204 wrote to memory of 4604	2204	d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe	71
PID 4604 wrote to memory of 4836	4604	MX3zZ9Ei.exe	72
PID 4604 wrote to memory of 4836	4604	MX3zZ9Ei.exe	72
PID 4604 wrote to memory of 4836	4604	MX3zZ9Ei.exe	72
PID 4836 wrote to memory of 4904	4836	bD6sJ1QQ.exe	73
PID 4836 wrote to memory of 4904	4836	bD6sJ1QQ.exe	73
PID 4836 wrote to memory of 4904	4836	bD6sJ1QQ.exe	73
PID 4904 wrote to memory of 2632	4904	sn2dk6MS.exe	74
PID 4904 wrote to memory of 2632	4904	sn2dk6MS.exe	74
PID 4904 wrote to memory of 2632	4904	sn2dk6MS.exe	74
PID 2632 wrote to memory of 2572	2632	xW5Hk1Sp.exe	75
PID 2632 wrote to memory of 2572	2632	xW5Hk1Sp.exe	75
PID 2632 wrote to memory of 2572	2632	xW5Hk1Sp.exe	75
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76
PID 2572 wrote to memory of 1492	2572	1js90XY7.exe	76

C:\Users\Admin\AppData\Local\Temp\d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe
"C:\Users\Admin\AppData\Local\Temp\d806c43d9be2b97131caf737620bef0526025986e912254307e6e29e90083b39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MX3zZ9Ei.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MX3zZ9Ei.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bD6sJ1QQ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bD6sJ1QQ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sn2dk6MS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sn2dk6MS.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xW5Hk1Sp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xW5Hk1Sp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1js90XY7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1js90XY7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 568
        8⤵
        Program crash
        
        PID:2996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 588
        7⤵
        Program crash
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MX3zZ9Ei.exe

Filesize
1.1MB

MD5
3be9b9003a2d43f1f2f85871f8d98eee

SHA1
d24e4279320a9416a745364e1ba91361f1f64d40

SHA256
eabfcbd56985d3fce05b797414d3c822b8256129cffaddeeaf2322b319a9b540

SHA512
ea836323889f5872e33a55882624c0bba884e14a3668f9dca024ad38d181c1df3139bff1795c599fbee916010c39d117dbc5069680d79c9d6bd7afef8dfecb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MX3zZ9Ei.exe

Filesize
1.1MB

MD5
3be9b9003a2d43f1f2f85871f8d98eee

SHA1
d24e4279320a9416a745364e1ba91361f1f64d40

SHA256
eabfcbd56985d3fce05b797414d3c822b8256129cffaddeeaf2322b319a9b540

SHA512
ea836323889f5872e33a55882624c0bba884e14a3668f9dca024ad38d181c1df3139bff1795c599fbee916010c39d117dbc5069680d79c9d6bd7afef8dfecb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bD6sJ1QQ.exe

Filesize
937KB

MD5
7be0235bb587cd60065869b6bada1577

SHA1
84758ffd53fbc20709e242e8181b36a4aa9267b1

SHA256
372d73ae12579dc7c9ab2de3dbb18aab929ddf06b67a861f325796f151cb6fd3

SHA512
e2c3892ffc365f563c616b4998ff8c4bfa6fbd136b7a0fe50fb4aae4149bf56705951f2b2697a941f7f2b13999de7150fcab35b28541e91e2a83ef7ed6143083

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bD6sJ1QQ.exe

Filesize
937KB

MD5
7be0235bb587cd60065869b6bada1577

SHA1
84758ffd53fbc20709e242e8181b36a4aa9267b1

SHA256
372d73ae12579dc7c9ab2de3dbb18aab929ddf06b67a861f325796f151cb6fd3

SHA512
e2c3892ffc365f563c616b4998ff8c4bfa6fbd136b7a0fe50fb4aae4149bf56705951f2b2697a941f7f2b13999de7150fcab35b28541e91e2a83ef7ed6143083

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sn2dk6MS.exe

Filesize
640KB

MD5
dd02af100bdda8ad3e101c89f9f8bd33

SHA1
9f8fa9980f7d9fc9445e79bdb60e62c3590b26f6

SHA256
156b77a93ee1a194a969aa9877283c465dfeb1c6295c03556b98195f03937fb0

SHA512
adab7ddb33afd84496cc29c8c47019e9d82bbd5538981913d7970055a0ebbb63a6d31978baaea4574082b8bb1c58e3d56d367a0eb8aeb7ca9729d475bc468347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sn2dk6MS.exe

Filesize
640KB

MD5
dd02af100bdda8ad3e101c89f9f8bd33

SHA1
9f8fa9980f7d9fc9445e79bdb60e62c3590b26f6

SHA256
156b77a93ee1a194a969aa9877283c465dfeb1c6295c03556b98195f03937fb0

SHA512
adab7ddb33afd84496cc29c8c47019e9d82bbd5538981913d7970055a0ebbb63a6d31978baaea4574082b8bb1c58e3d56d367a0eb8aeb7ca9729d475bc468347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xW5Hk1Sp.exe

Filesize
444KB

MD5
9f76d90bee5cd5a394a6bc8f2b7ee224

SHA1
aa715a0b13b161b00835a28d3a451ea9aea04db1

SHA256
88b9683766ee4f2ede70dcf3906ebf0a273ce65019b43a510974f7714ebc7a34

SHA512
db795a439e0b67765d152ca255d6932ff761e978ee66ddbe72d1fe7b46b365b7d3c5365597de344ddbb68c3cbf78b01ebf64e12fa367bd941a43fb2d40e68358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xW5Hk1Sp.exe

Filesize
444KB

MD5
9f76d90bee5cd5a394a6bc8f2b7ee224

SHA1
aa715a0b13b161b00835a28d3a451ea9aea04db1

SHA256
88b9683766ee4f2ede70dcf3906ebf0a273ce65019b43a510974f7714ebc7a34

SHA512
db795a439e0b67765d152ca255d6932ff761e978ee66ddbe72d1fe7b46b365b7d3c5365597de344ddbb68c3cbf78b01ebf64e12fa367bd941a43fb2d40e68358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1js90XY7.exe

Filesize
423KB

MD5
fa5ae6de8280367b74f7f4e900dcdf4e

SHA1
ad583d671498de784257b777b454512583cef7fd

SHA256
e9b99af82cdee367119d867ae88c222e4789f5537342645586582e53e996783c

SHA512
c70b0c131f4484d6a0ea7e45a6b5871fdbf9d391b5b816804d7cc1639a9b54c5342cf1c00e814cf3388bce3c96d26c532118f9b10c5a1754e4fe5ca383ad2d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1js90XY7.exe

Filesize
423KB

MD5
fa5ae6de8280367b74f7f4e900dcdf4e

SHA1
ad583d671498de784257b777b454512583cef7fd

SHA256
e9b99af82cdee367119d867ae88c222e4789f5537342645586582e53e996783c

SHA512
c70b0c131f4484d6a0ea7e45a6b5871fdbf9d391b5b816804d7cc1639a9b54c5342cf1c00e814cf3388bce3c96d26c532118f9b10c5a1754e4fe5ca383ad2d76

Download Submit
memory/1492-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads