11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3

Analysis

max time kernel
112s
max time network
117s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
10/10/2023, 03:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe
Size

1.2MB
MD5

35e73569962a9ff10ca7fe71c8368d6a
SHA1

13c4fc75529b0f1297379da9d809cab6241194a2
SHA256

11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3
SHA512

f4e8b6e29da347b55d6175551ac12b9a7f2862faee6241a3612e1ec37b6dc6777d7f4494f2dff6f6ae80c7676f24950efa0f961be217097e89beb0593f3e003b
SSDEEP

24576:nyjqn2dvZf0V3LYvRGfZShqVHb0iA9jqV39Fwk4jpx:ym2dxKYJGf5VHbrAg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4192	rb3tm0MI.exe
4056	fW2kY6eG.exe
1272	AN6Ac7ru.exe
3880	Tv8kE8xO.exe
4356	1eW83pj2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Tv8kE8xO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rb3tm0MI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fW2kY6eG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AN6Ac7ru.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 2288	4356	1eW83pj2.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
608	4356	WerFault.exe	74
1588	2288	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4192	3224	11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe	70
PID 3224 wrote to memory of 4192	3224	11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe	70
PID 3224 wrote to memory of 4192	3224	11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe	70
PID 4192 wrote to memory of 4056	4192	rb3tm0MI.exe	71
PID 4192 wrote to memory of 4056	4192	rb3tm0MI.exe	71
PID 4192 wrote to memory of 4056	4192	rb3tm0MI.exe	71
PID 4056 wrote to memory of 1272	4056	fW2kY6eG.exe	72
PID 4056 wrote to memory of 1272	4056	fW2kY6eG.exe	72
PID 4056 wrote to memory of 1272	4056	fW2kY6eG.exe	72
PID 1272 wrote to memory of 3880	1272	AN6Ac7ru.exe	73
PID 1272 wrote to memory of 3880	1272	AN6Ac7ru.exe	73
PID 1272 wrote to memory of 3880	1272	AN6Ac7ru.exe	73
PID 3880 wrote to memory of 4356	3880	Tv8kE8xO.exe	74
PID 3880 wrote to memory of 4356	3880	Tv8kE8xO.exe	74
PID 3880 wrote to memory of 4356	3880	Tv8kE8xO.exe	74
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75
PID 4356 wrote to memory of 2288	4356	1eW83pj2.exe	75

C:\Users\Admin\AppData\Local\Temp\11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe
"C:\Users\Admin\AppData\Local\Temp\11ead19b2df265c911319b6f1aeeaa702b0fd18a92e7503b561245befb3f82f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb3tm0MI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb3tm0MI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fW2kY6eG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fW2kY6eG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN6Ac7ru.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN6Ac7ru.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tv8kE8xO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tv8kE8xO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eW83pj2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eW83pj2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 568
        8⤵
        Program crash
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 564
        7⤵
        Program crash
        
        PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb3tm0MI.exe

Filesize
1.1MB

MD5
f4d002087a632b3e8ef04d288c8c2f63

SHA1
ac07c44dd7e38838bf4be6b3ca5009bab7fe43d0

SHA256
9e46912ebec3398e63ab9cb897b1a234574d71f5cf5dc6d2fb1b4ffe1f8d1ab2

SHA512
eb51318c1aad04c4bb48044bee21a13f4ca3cb1825ef56e0338142906a8417028f8fbb3ec7c566cfda2d7caf603b19ebbd9ab8c7bb1aecb12d980ebd004d1ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb3tm0MI.exe

Filesize
1.1MB

MD5
f4d002087a632b3e8ef04d288c8c2f63

SHA1
ac07c44dd7e38838bf4be6b3ca5009bab7fe43d0

SHA256
9e46912ebec3398e63ab9cb897b1a234574d71f5cf5dc6d2fb1b4ffe1f8d1ab2

SHA512
eb51318c1aad04c4bb48044bee21a13f4ca3cb1825ef56e0338142906a8417028f8fbb3ec7c566cfda2d7caf603b19ebbd9ab8c7bb1aecb12d980ebd004d1ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fW2kY6eG.exe

Filesize
935KB

MD5
a84a35f833e403c2c419d3812ce3b874

SHA1
cda1a3e1355b67ddf14e75ea2eb1d351db8a93d8

SHA256
37466dd8c50cd0383767bd10adac1090f7b7205a36e66e625c6c5efbbb70ded7

SHA512
332bbbc9db3c0e86246a2fbde4cf8ce9b469baee2096b7402ca46848a00a51ae9c390d198b4f805c5db51819c3380faa0bed7ceff3c03019948d879ca7f407bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fW2kY6eG.exe

Filesize
935KB

MD5
a84a35f833e403c2c419d3812ce3b874

SHA1
cda1a3e1355b67ddf14e75ea2eb1d351db8a93d8

SHA256
37466dd8c50cd0383767bd10adac1090f7b7205a36e66e625c6c5efbbb70ded7

SHA512
332bbbc9db3c0e86246a2fbde4cf8ce9b469baee2096b7402ca46848a00a51ae9c390d198b4f805c5db51819c3380faa0bed7ceff3c03019948d879ca7f407bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN6Ac7ru.exe

Filesize
639KB

MD5
66dc69da2347af9c3317672b8407816f

SHA1
bf4650b9f6eba7478d76289271343a4213311973

SHA256
396a168d53747feef82f66f011b3d2907bece154daf4ad5bef77f75d8a929a8c

SHA512
2097901101bce955ff894022eb67ecddf2b7485228658e22f313fa0845541f40166a09b452a38df5aca9d154da9ba11f0c2cc70f156214072121135fb7eaf860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AN6Ac7ru.exe

Filesize
639KB

MD5
66dc69da2347af9c3317672b8407816f

SHA1
bf4650b9f6eba7478d76289271343a4213311973

SHA256
396a168d53747feef82f66f011b3d2907bece154daf4ad5bef77f75d8a929a8c

SHA512
2097901101bce955ff894022eb67ecddf2b7485228658e22f313fa0845541f40166a09b452a38df5aca9d154da9ba11f0c2cc70f156214072121135fb7eaf860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tv8kE8xO.exe

Filesize
443KB

MD5
e0fc5ee2e065ee3213e266927860b2af

SHA1
22b570ac1b4e6352a252319b9af553937c75beee

SHA256
2fb3bda2f3a532467482dd15505abdb4b8820c3685320b8db5fb85ceaeaa7f92

SHA512
83e550d606b7712095ca63e5384eaacb39123dc92f9d73b0c40063383bf23916fb6b22e6f7db3aca941f4ce3246c7ba71eba900ef09d256c4454827149d45819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tv8kE8xO.exe

Filesize
443KB

MD5
e0fc5ee2e065ee3213e266927860b2af

SHA1
22b570ac1b4e6352a252319b9af553937c75beee

SHA256
2fb3bda2f3a532467482dd15505abdb4b8820c3685320b8db5fb85ceaeaa7f92

SHA512
83e550d606b7712095ca63e5384eaacb39123dc92f9d73b0c40063383bf23916fb6b22e6f7db3aca941f4ce3246c7ba71eba900ef09d256c4454827149d45819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eW83pj2.exe

Filesize
422KB

MD5
07e4db35e34f1426fe650e29784dc60b

SHA1
4485f63a7adae41d19b9cf904ad205f241a1ef14

SHA256
17be7ff0fb742ad35279680dc2400a1c37310ccb8166c4fae196022535345017

SHA512
67a8e86316a933ea1fcbf1493451c0d8d17c0b0de20b853e3d19bd147d011633f5e42b6a4b5234b2b98caf5939e5c5809e0f432f57eb66cc6e1c3b866b92848d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eW83pj2.exe

Filesize
422KB

MD5
07e4db35e34f1426fe650e29784dc60b

SHA1
4485f63a7adae41d19b9cf904ad205f241a1ef14

SHA256
17be7ff0fb742ad35279680dc2400a1c37310ccb8166c4fae196022535345017

SHA512
67a8e86316a933ea1fcbf1493451c0d8d17c0b0de20b853e3d19bd147d011633f5e42b6a4b5234b2b98caf5939e5c5809e0f432f57eb66cc6e1c3b866b92848d

Download Submit
memory/2288-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads