9b4464d36d22d19f5e9ebf50426223c3e1e47766e2663fcbb471133c33485125

Analysis

max time kernel
186s
max time network
297s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
10/10/2023, 01:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

xT2yh0mH.exe
Size

443KB
MD5

e3517d21633d24bfa177ad9b3d0114f4
SHA1

512d050a3609c9544da5f9a9732b173058b85b15
SHA256

9b4464d36d22d19f5e9ebf50426223c3e1e47766e2663fcbb471133c33485125
SHA512

b9dce90c64fcb8140540bc4a19ec6e1eac34581d84217e77d919d329f726e8ff3e678851bac89c577d36aa863177b08ec65340c9ad90de7739c6f3caed0aa2fe
SSDEEP

6144:KMy+bnr+3p0yN90QE0BtMBxrRQzqk0Mlh6LUJvIQ4vtNgZw0nW/Tgr1sbfazYYD3:AMrHy90WsqzqkdeSov3gZw0nwT+N+BI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5024	1wV96HE1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	xT2yh0mH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 2156	5024	1wV96HE1.exe	71

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1308	5024	WerFault.exe	70
1880	2156	WerFault.exe	71

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 5024	348	xT2yh0mH.exe	70
PID 348 wrote to memory of 5024	348	xT2yh0mH.exe	70
PID 348 wrote to memory of 5024	348	xT2yh0mH.exe	70
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71
PID 5024 wrote to memory of 2156	5024	1wV96HE1.exe	71

C:\Users\Admin\AppData\Local\Temp\xT2yh0mH.exe
"C:\Users\Admin\AppData\Local\Temp\xT2yh0mH.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wV96HE1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wV96HE1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 568
      4⤵
      Program crash
      PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 568
    3⤵
    - Program crash
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wV96HE1.exe

Filesize
422KB

MD5
9505b83a5c9e06196afeb83b993fe0cf

SHA1
c080ad4c37bca1f2a486513ce087d02dc6447a82

SHA256
80e287cf522ca5f1f913ec20c18e948dcdbfb30955d6c62049a433c264ecb0da

SHA512
11ced1cfa195cf4c284ebd2343f012182683e12fa17758b64a75fa88dbcac59a70f997336ae19f2e386bbf1136a71adb58b39cb8eedcafd3ccb0a9f400540ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wV96HE1.exe

Filesize
422KB

MD5
9505b83a5c9e06196afeb83b993fe0cf

SHA1
c080ad4c37bca1f2a486513ce087d02dc6447a82

SHA256
80e287cf522ca5f1f913ec20c18e948dcdbfb30955d6c62049a433c264ecb0da

SHA512
11ced1cfa195cf4c284ebd2343f012182683e12fa17758b64a75fa88dbcac59a70f997336ae19f2e386bbf1136a71adb58b39cb8eedcafd3ccb0a9f400540ee1

Download Submit
memory/2156-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads