5363121da91f4477771e22092f4c29a0470f24a84613223d3c69747d2b8e48a9

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x9483249.exe
Size

854KB
MD5

e1ac615b01b648eea9d3b6c5c564d40a
SHA1

5c83cea92706aaf7fb2b9da4f1b210d9444d020a
SHA256

5363121da91f4477771e22092f4c29a0470f24a84613223d3c69747d2b8e48a9
SHA512

fcbd9adc0840c1ff574f5e9401b407510192ef45184ed6131c7089ae963c96bcf48879c88380d9f4b06b22183356945938cec0c1096d50446753f7cc6812e152
SSDEEP

12288:SMryy90rwvnT4eFdtutlnAi+vwMo3m67T7p1zIgaeVopOq3+dvKvgDsTmYxCvYNh:kyySTbjAmoMczz6pBWJDsTmRvY/v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3048	x7496497.exe
2776	x7101542.exe
2824	g6544546.exe

Loads dropped DLL 11 IoCs

pid	Process
2704	x9483249.exe
3048	x7496497.exe
3048	x7496497.exe
2776	x7101542.exe
2776	x7101542.exe
2776	x7101542.exe
2824	g6544546.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x9483249.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7496497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7101542.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 3068	2824	g6544546.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2880	2824	WerFault.exe	29
2688	3068	WerFault.exe	30

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 2704 wrote to memory of 3048	2704	x9483249.exe	27
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 3048 wrote to memory of 2776	3048	x7496497.exe	28
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2776 wrote to memory of 2824	2776	x7101542.exe	29
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 2824 wrote to memory of 3068	2824	g6544546.exe	30
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 2824 wrote to memory of 2880	2824	g6544546.exe	31
PID 3068 wrote to memory of 2688	3068	AppLaunch.exe	32

C:\Users\Admin\AppData\Local\Temp\x9483249.exe
"C:\Users\Admin\AppData\Local\Temp\x9483249.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7496497.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7496497.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7101542.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7101542.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 268
        6⤵
        Program crash
        
        PID:2688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 272
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7496497.exe

Filesize
580KB

MD5
4f00ad9becc8066345def9af48e228af

SHA1
989b098aa8bc41312b368646bcaf34b5d8e219cd

SHA256
310b208c0a53a29552ab36f07135ea7fc901e3b8ae093c8cdcbbe3698c9a73ad

SHA512
855915153f9acb1ef45e7f335cc5957c6d68f6d47ab7beda7af08d3a5cd205767689f704742ce7d6997503bf283fba4acbfa943fbff3a6f9a1fb131cec5f503c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7496497.exe

Filesize
580KB

MD5
4f00ad9becc8066345def9af48e228af

SHA1
989b098aa8bc41312b368646bcaf34b5d8e219cd

SHA256
310b208c0a53a29552ab36f07135ea7fc901e3b8ae093c8cdcbbe3698c9a73ad

SHA512
855915153f9acb1ef45e7f335cc5957c6d68f6d47ab7beda7af08d3a5cd205767689f704742ce7d6997503bf283fba4acbfa943fbff3a6f9a1fb131cec5f503c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7101542.exe

Filesize
404KB

MD5
0ba3cbe0d4f9f6170b01bfc9f9570168

SHA1
d6bb8f8ef82ade56a7f499c3b8f8e42db3bccdaa

SHA256
72b5aeca9116a0a189ac18a9f40edd722dacc4d580043e7af3493ef10d4827f0

SHA512
dfc4e51d57499b25f6a327c48bf3d9b1d0d796f904903c4c2d644c2f237a234b5b526ed3a9c8ab0801b465d8fbc64dce506d9a8c613adc41bc95ae292c42f8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7101542.exe

Filesize
404KB

MD5
0ba3cbe0d4f9f6170b01bfc9f9570168

SHA1
d6bb8f8ef82ade56a7f499c3b8f8e42db3bccdaa

SHA256
72b5aeca9116a0a189ac18a9f40edd722dacc4d580043e7af3493ef10d4827f0

SHA512
dfc4e51d57499b25f6a327c48bf3d9b1d0d796f904903c4c2d644c2f237a234b5b526ed3a9c8ab0801b465d8fbc64dce506d9a8c613adc41bc95ae292c42f8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7496497.exe

Filesize
580KB

MD5
4f00ad9becc8066345def9af48e228af

SHA1
989b098aa8bc41312b368646bcaf34b5d8e219cd

SHA256
310b208c0a53a29552ab36f07135ea7fc901e3b8ae093c8cdcbbe3698c9a73ad

SHA512
855915153f9acb1ef45e7f335cc5957c6d68f6d47ab7beda7af08d3a5cd205767689f704742ce7d6997503bf283fba4acbfa943fbff3a6f9a1fb131cec5f503c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7496497.exe

Filesize
580KB

MD5
4f00ad9becc8066345def9af48e228af

SHA1
989b098aa8bc41312b368646bcaf34b5d8e219cd

SHA256
310b208c0a53a29552ab36f07135ea7fc901e3b8ae093c8cdcbbe3698c9a73ad

SHA512
855915153f9acb1ef45e7f335cc5957c6d68f6d47ab7beda7af08d3a5cd205767689f704742ce7d6997503bf283fba4acbfa943fbff3a6f9a1fb131cec5f503c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7101542.exe

Filesize
404KB

MD5
0ba3cbe0d4f9f6170b01bfc9f9570168

SHA1
d6bb8f8ef82ade56a7f499c3b8f8e42db3bccdaa

SHA256
72b5aeca9116a0a189ac18a9f40edd722dacc4d580043e7af3493ef10d4827f0

SHA512
dfc4e51d57499b25f6a327c48bf3d9b1d0d796f904903c4c2d644c2f237a234b5b526ed3a9c8ab0801b465d8fbc64dce506d9a8c613adc41bc95ae292c42f8f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7101542.exe

Filesize
404KB

MD5
0ba3cbe0d4f9f6170b01bfc9f9570168

SHA1
d6bb8f8ef82ade56a7f499c3b8f8e42db3bccdaa

SHA256
72b5aeca9116a0a189ac18a9f40edd722dacc4d580043e7af3493ef10d4827f0

SHA512
dfc4e51d57499b25f6a327c48bf3d9b1d0d796f904903c4c2d644c2f237a234b5b526ed3a9c8ab0801b465d8fbc64dce506d9a8c613adc41bc95ae292c42f8f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6544546.exe

Filesize
396KB

MD5
bc9d594385ba170a78f2ac71f82737b6

SHA1
090b2ed7f0f72f1f24fe7b02f492150edfea2c6a

SHA256
3482771ad5605e1fd2c30d14b9b33f42eda3e09e139a702506e2f6ee6ff2d5cc

SHA512
19b5cb5ddc27851a139f5e029a0ef9e819e615407dc959c54a08a855fd0847ebb0f234623a2dde0c6b7a3e5898721331d9d92794698354a95b9e426906a26689

Download Submit
memory/3068-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3068-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads