cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b

Analysis

max time kernel
127s
max time network
135s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2023, 02:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe
Size

1.2MB
MD5

a29544666db4fadc9b9bb4b5c6132f15
SHA1

c5c0969558fac152f05ff219eb6b9b19db75687a
SHA256

cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b
SHA512

97abbb934df4a02a873c7ee2e0f6e0d840fd352d37d306fb5ed5a3ac91e79daa9becbba0c4a7434e15ba137bb39a70039863ebeae50e643019ddc5f6c941f345
SSDEEP

24576:Fyxqa/SyolpiTLO/OIYNTUzXGiWP8ujlq+b4EFa192EpZ3E7W/:gxF6JlpiTa/taTUXPidFQ2SE

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1948	Hp2AN7AI.exe
5080	Bf6cI5VX.exe
4500	KW5OI6cQ.exe
712	Ng5VZ2va.exe
2968	1VJ79qf5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hp2AN7AI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Bf6cI5VX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KW5OI6cQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ng5VZ2va.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 3324	2968	1VJ79qf5.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
916	2968	WerFault.exe	74
2920	3324	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1948	4108	cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe	70
PID 4108 wrote to memory of 1948	4108	cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe	70
PID 4108 wrote to memory of 1948	4108	cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe	70
PID 1948 wrote to memory of 5080	1948	Hp2AN7AI.exe	71
PID 1948 wrote to memory of 5080	1948	Hp2AN7AI.exe	71
PID 1948 wrote to memory of 5080	1948	Hp2AN7AI.exe	71
PID 5080 wrote to memory of 4500	5080	Bf6cI5VX.exe	72
PID 5080 wrote to memory of 4500	5080	Bf6cI5VX.exe	72
PID 5080 wrote to memory of 4500	5080	Bf6cI5VX.exe	72
PID 4500 wrote to memory of 712	4500	KW5OI6cQ.exe	73
PID 4500 wrote to memory of 712	4500	KW5OI6cQ.exe	73
PID 4500 wrote to memory of 712	4500	KW5OI6cQ.exe	73
PID 712 wrote to memory of 2968	712	Ng5VZ2va.exe	74
PID 712 wrote to memory of 2968	712	Ng5VZ2va.exe	74
PID 712 wrote to memory of 2968	712	Ng5VZ2va.exe	74
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75
PID 2968 wrote to memory of 3324	2968	1VJ79qf5.exe	75

C:\Users\Admin\AppData\Local\Temp\cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe
"C:\Users\Admin\AppData\Local\Temp\cdb1909331362e9a770cc0df22fe368f94cc055a2b3a39e1378104a788191d1b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hp2AN7AI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hp2AN7AI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf6cI5VX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf6cI5VX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KW5OI6cQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KW5OI6cQ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ng5VZ2va.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ng5VZ2va.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:712
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VJ79qf5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VJ79qf5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 580
        8⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 580
        7⤵
        Program crash
        
        PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hp2AN7AI.exe

Filesize
1.1MB

MD5
cec9c2b8d332397c6e246beda047f0cf

SHA1
c36af850af3ef99c24caaefc8745ce76c62fb0f5

SHA256
6f600863b4816a178a5f5de12fc1e06f4cc08705302de7b2636987a97bec65ea

SHA512
018e0f9bf9895101d685abc9d7a69f435b6b8efad3d3f45eda781dfd8f3b73df5c4517ca385d709d61b057be3fc86ae24234771b213dc7c7774acb05d7b362d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hp2AN7AI.exe

Filesize
1.1MB

MD5
cec9c2b8d332397c6e246beda047f0cf

SHA1
c36af850af3ef99c24caaefc8745ce76c62fb0f5

SHA256
6f600863b4816a178a5f5de12fc1e06f4cc08705302de7b2636987a97bec65ea

SHA512
018e0f9bf9895101d685abc9d7a69f435b6b8efad3d3f45eda781dfd8f3b73df5c4517ca385d709d61b057be3fc86ae24234771b213dc7c7774acb05d7b362d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf6cI5VX.exe

Filesize
936KB

MD5
c75e4530bd875a06cf0b46a3e11743df

SHA1
df2210bf9350d5b3e4d50f8ac7ddd06689702f73

SHA256
d64444ebb55070828b4a9bd4f6d56da941669f2109e2907982a7b3ba64971729

SHA512
fa05efe0ae1e0c5e222ba6b80af282bff7c6f82ad28d574cd89ab69df30c99f931c0253553d6633b8166ef4c627825dff52bd9345f4fbd2e2d02e4bf0e541cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf6cI5VX.exe

Filesize
936KB

MD5
c75e4530bd875a06cf0b46a3e11743df

SHA1
df2210bf9350d5b3e4d50f8ac7ddd06689702f73

SHA256
d64444ebb55070828b4a9bd4f6d56da941669f2109e2907982a7b3ba64971729

SHA512
fa05efe0ae1e0c5e222ba6b80af282bff7c6f82ad28d574cd89ab69df30c99f931c0253553d6633b8166ef4c627825dff52bd9345f4fbd2e2d02e4bf0e541cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KW5OI6cQ.exe

Filesize
640KB

MD5
9a441e86c60b2f827b24e53b98aa2889

SHA1
c8ea551e7ebdc39399db6b8687e474a353baaa52

SHA256
9b9470b26a7b2d6ce706908998b19a2c78a903989eff8d348a349cdbddc7fd67

SHA512
5650154374b2e0a19986e9725ec4fee42dd3805b1660e905610564f6a67b5bbf3b2f0dfbdd960afb29e6a21ea920bd9dc7dcb60873820299e4686f66d7f9307a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KW5OI6cQ.exe

Filesize
640KB

MD5
9a441e86c60b2f827b24e53b98aa2889

SHA1
c8ea551e7ebdc39399db6b8687e474a353baaa52

SHA256
9b9470b26a7b2d6ce706908998b19a2c78a903989eff8d348a349cdbddc7fd67

SHA512
5650154374b2e0a19986e9725ec4fee42dd3805b1660e905610564f6a67b5bbf3b2f0dfbdd960afb29e6a21ea920bd9dc7dcb60873820299e4686f66d7f9307a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ng5VZ2va.exe

Filesize
444KB

MD5
bf5756270326439575f770a4c797f368

SHA1
df7c659c3b691a58a6fa40e2261018cf74e35ba2

SHA256
18ca6784d17f87f5980782e6a07f6908396d02e3f41223b319378912633a2763

SHA512
acb55af237491a728880fd7243cdbc45f05ba10a99654455471de75c090e63cb55c010d69d1a171c0f25c52c95519d0815a55397b2c35014103d6854b7275e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ng5VZ2va.exe

Filesize
444KB

MD5
bf5756270326439575f770a4c797f368

SHA1
df7c659c3b691a58a6fa40e2261018cf74e35ba2

SHA256
18ca6784d17f87f5980782e6a07f6908396d02e3f41223b319378912633a2763

SHA512
acb55af237491a728880fd7243cdbc45f05ba10a99654455471de75c090e63cb55c010d69d1a171c0f25c52c95519d0815a55397b2c35014103d6854b7275e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VJ79qf5.exe

Filesize
423KB

MD5
fe5c130caf410a6b5284d82b47b5349a

SHA1
2853578f984be07c95c7f2d123137bec26a62f8e

SHA256
5727d2f49ef7efcd56e68cb42bd281af64d2e19f06a5b538fc6591116cd7c9b9

SHA512
4bbf71ea2d8753129c009b9c2bd2eaa8bbde07a5fb01be99eefcfa2b5d4c16a8f061eb4fe8537f0f12ca4025475acdb4c1645b473b58ea1a80cb8970462a5ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1VJ79qf5.exe

Filesize
423KB

MD5
fe5c130caf410a6b5284d82b47b5349a

SHA1
2853578f984be07c95c7f2d123137bec26a62f8e

SHA256
5727d2f49ef7efcd56e68cb42bd281af64d2e19f06a5b538fc6591116cd7c9b9

SHA512
4bbf71ea2d8753129c009b9c2bd2eaa8bbde07a5fb01be99eefcfa2b5d4c16a8f061eb4fe8537f0f12ca4025475acdb4c1645b473b58ea1a80cb8970462a5ffb

Download Submit
memory/3324-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads