edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce

Analysis

max time kernel
113s
max time network
117s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2023, 13:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe
Size

1.2MB
MD5

8e39c2c1ccfaef165eaaf7e52662a4a9
SHA1

53514ae5ae9b89068d8eb8e9c6aa0f2ee2625f60
SHA256

edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce
SHA512

3a555c0d94038695b3a1630506217fe9f277e874926f33d4788b395e8aa713059f0b610b154414efb22b146f2d7c1679b15114da82e22d0952c16683257e4a8e
SSDEEP

24576:YyMUEhSDFosx16D+UFQQ8gqVN4UxXNNi6JmF2R4kbRkonJ6DU0C:fMUEIDFhL6D+8MgajU6JmahKdU0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3852	Uy1xL3jw.exe
2248	Ns5qw4wV.exe
3880	UE1ji5Et.exe
4616	MH9MA6Nt.exe
2540	1LU29jL8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Uy1xL3jw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ns5qw4wV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	UE1ji5Et.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	MH9MA6Nt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 848	2540	1LU29jL8.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
844	2540	WerFault.exe	73
1152	848	WerFault.exe	74

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3852	5016	edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe	69
PID 5016 wrote to memory of 3852	5016	edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe	69
PID 5016 wrote to memory of 3852	5016	edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe	69
PID 3852 wrote to memory of 2248	3852	Uy1xL3jw.exe	70
PID 3852 wrote to memory of 2248	3852	Uy1xL3jw.exe	70
PID 3852 wrote to memory of 2248	3852	Uy1xL3jw.exe	70
PID 2248 wrote to memory of 3880	2248	Ns5qw4wV.exe	71
PID 2248 wrote to memory of 3880	2248	Ns5qw4wV.exe	71
PID 2248 wrote to memory of 3880	2248	Ns5qw4wV.exe	71
PID 3880 wrote to memory of 4616	3880	UE1ji5Et.exe	72
PID 3880 wrote to memory of 4616	3880	UE1ji5Et.exe	72
PID 3880 wrote to memory of 4616	3880	UE1ji5Et.exe	72
PID 4616 wrote to memory of 2540	4616	MH9MA6Nt.exe	73
PID 4616 wrote to memory of 2540	4616	MH9MA6Nt.exe	73
PID 4616 wrote to memory of 2540	4616	MH9MA6Nt.exe	73
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74
PID 2540 wrote to memory of 848	2540	1LU29jL8.exe	74

C:\Users\Admin\AppData\Local\Temp\edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe
"C:\Users\Admin\AppData\Local\Temp\edb18b895a86d590563e4ddd40ae6e0024c2bf15f4f3715e6f5af1b2af9447ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uy1xL3jw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uy1xL3jw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ns5qw4wV.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ns5qw4wV.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UE1ji5Et.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UE1ji5Et.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MH9MA6Nt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MH9MA6Nt.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU29jL8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU29jL8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 568
        8⤵
        Program crash
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 212
        7⤵
        Program crash
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uy1xL3jw.exe

Filesize
1.1MB

MD5
76bd54d0edc7e2cb751b568197f77fee

SHA1
82128463abd1aa093f2092fe2b21b61dd80c22da

SHA256
5b71583bd57123dcab5ae81d49f59dfa318a9b85ce2a7f2039c3e9e84403a2b7

SHA512
5c82d2811d9c8024ec24d05e916ea70f22fba95c4f341d7574ad63ae8dfc6d2f8e22989e486a8268415390f74edb3f3cbda26f650868ed941a955b7da384ef4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uy1xL3jw.exe

Filesize
1.1MB

MD5
76bd54d0edc7e2cb751b568197f77fee

SHA1
82128463abd1aa093f2092fe2b21b61dd80c22da

SHA256
5b71583bd57123dcab5ae81d49f59dfa318a9b85ce2a7f2039c3e9e84403a2b7

SHA512
5c82d2811d9c8024ec24d05e916ea70f22fba95c4f341d7574ad63ae8dfc6d2f8e22989e486a8268415390f74edb3f3cbda26f650868ed941a955b7da384ef4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ns5qw4wV.exe

Filesize
935KB

MD5
3da874bfc10eb85997589cd61da20278

SHA1
218d44de6340f19fb7f7f558cb39101a4a0907e8

SHA256
14e22462ce7fbdc47a943ff13248e3fd53354bd66308c2d46c2f5890c55e21b2

SHA512
cadd96525e4f7b5bd00508fd562eca474aaf98f1296f3f294aa6f8eea07457f66fd3dd298062e2e08671edf1d65580a2287343bc39c307725a36d6223d0e7a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ns5qw4wV.exe

Filesize
935KB

MD5
3da874bfc10eb85997589cd61da20278

SHA1
218d44de6340f19fb7f7f558cb39101a4a0907e8

SHA256
14e22462ce7fbdc47a943ff13248e3fd53354bd66308c2d46c2f5890c55e21b2

SHA512
cadd96525e4f7b5bd00508fd562eca474aaf98f1296f3f294aa6f8eea07457f66fd3dd298062e2e08671edf1d65580a2287343bc39c307725a36d6223d0e7a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UE1ji5Et.exe

Filesize
640KB

MD5
75cb6a0bad8e8524235cf142256e84c1

SHA1
b09208d8def00317c8d2f41bb52ce82de9bf7b74

SHA256
c2ebe9b0016ccd853a9e3bfbb3a57db163aa4748a5f66a0c3df3e9da16b6e89d

SHA512
4b7338b156b477808e60beca9da4536e25fa05759535958e648cb77af7f0989f84ce77c6a1df7b706d9775a97a63e83bab8b2a6a45108dfd77a1326cb268f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UE1ji5Et.exe

Filesize
640KB

MD5
75cb6a0bad8e8524235cf142256e84c1

SHA1
b09208d8def00317c8d2f41bb52ce82de9bf7b74

SHA256
c2ebe9b0016ccd853a9e3bfbb3a57db163aa4748a5f66a0c3df3e9da16b6e89d

SHA512
4b7338b156b477808e60beca9da4536e25fa05759535958e648cb77af7f0989f84ce77c6a1df7b706d9775a97a63e83bab8b2a6a45108dfd77a1326cb268f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MH9MA6Nt.exe

Filesize
443KB

MD5
ea08f11ddfb027f7166ffc4170fec5f0

SHA1
ff6f6971dc702135427e4954b3a3d41682fd48b5

SHA256
30b54084c70610d8c61cfa73012e9614ebae52bf87981570ae0137b900d40eda

SHA512
c9fbd196c14993859a67259343ddd749a430449e6af902de8c0b85247862d2e889770b17222f5ec622b8df4e1e57620862593c42abbfc9a8c8e0fe3501b3682c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MH9MA6Nt.exe

Filesize
443KB

MD5
ea08f11ddfb027f7166ffc4170fec5f0

SHA1
ff6f6971dc702135427e4954b3a3d41682fd48b5

SHA256
30b54084c70610d8c61cfa73012e9614ebae52bf87981570ae0137b900d40eda

SHA512
c9fbd196c14993859a67259343ddd749a430449e6af902de8c0b85247862d2e889770b17222f5ec622b8df4e1e57620862593c42abbfc9a8c8e0fe3501b3682c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU29jL8.exe

Filesize
422KB

MD5
833605d8a7c267432ab3f6303cb13de2

SHA1
f8823e2d8598e9455e5144d2a81fe3563d6862e8

SHA256
13de5b56f474e3efbc616e2f6fbfe924c5452fc28d8290471b2023bde71d521d

SHA512
fc09382b898761599894398d39febb05acfe4a4193c092715a70591a49a0b649067989a202a2141cff22f222e07532e7e46aa8bbf85f58232f259e79bff9d4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU29jL8.exe

Filesize
422KB

MD5
833605d8a7c267432ab3f6303cb13de2

SHA1
f8823e2d8598e9455e5144d2a81fe3563d6862e8

SHA256
13de5b56f474e3efbc616e2f6fbfe924c5452fc28d8290471b2023bde71d521d

SHA512
fc09382b898761599894398d39febb05acfe4a4193c092715a70591a49a0b649067989a202a2141cff22f222e07532e7e46aa8bbf85f58232f259e79bff9d4cc

Download Submit
memory/848-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads