214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe
Size

505KB
MD5

de34baf3d86666daa4c01950d5275661
SHA1

31221a20c80fa67a6eafa49d0fed56d292d1e463
SHA256

214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106
SHA512

17c93ab88424f58819eb97e6c82d6a8b3c59ebc8259e5d3ffe729b924eab74bd97bd5498f47948b875c923fb96817014812b2e6828251eccf1d2c6244b6e8bd3
SSDEEP

6144:Kqy+bnr+Cp0yN90QEY/0dkWujZN0KyJqrDbwNNDO//R0X745DLjxyPyLk3TFdiNB:yMrWy90SyJQbsRAR0Xynxy3dwcM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2052	v8032040.exe
2712	b9063393.exe

Loads dropped DLL 8 IoCs

pid	Process
3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe
2052	v8032040.exe
2052	v8032040.exe
2712	b9063393.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8032040.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2960	2712	b9063393.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1860	2712	WerFault.exe	29
2648	2960	WerFault.exe	30

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 3048 wrote to memory of 2052	3048	214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe	28
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2052 wrote to memory of 2712	2052	v8032040.exe	29
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 2960	2712	b9063393.exe	30
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2712 wrote to memory of 1860	2712	b9063393.exe	31
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32
PID 2960 wrote to memory of 2648	2960	AppLaunch.exe	32

C:\Users\Admin\AppData\Local\Temp\214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe
"C:\Users\Admin\AppData\Local\Temp\214bf81662defaad32e8eb09de0922221f985b7d1633c35c373c62c58b4c9106.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8032040.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8032040.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 268
        5⤵
        Program crash
        
        PID:2648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8032040.exe

Filesize
404KB

MD5
08b4a3cecb462e1386f452470a3f56a7

SHA1
2dff04c642c1fad066ee5c73bc8f62c48ff77b23

SHA256
982d480071af917d1291de99e4adfe5a8cffe8588688e25179a193e71f79cb5e

SHA512
a9b5dd2db908f42c28ae60825fcede7d838512c23831c9aae31c0110edb5012954e1bf0290586b2fccaed3b886bfb10bdf98d0a0144f45cabb7aee4a4eee0b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8032040.exe

Filesize
404KB

MD5
08b4a3cecb462e1386f452470a3f56a7

SHA1
2dff04c642c1fad066ee5c73bc8f62c48ff77b23

SHA256
982d480071af917d1291de99e4adfe5a8cffe8588688e25179a193e71f79cb5e

SHA512
a9b5dd2db908f42c28ae60825fcede7d838512c23831c9aae31c0110edb5012954e1bf0290586b2fccaed3b886bfb10bdf98d0a0144f45cabb7aee4a4eee0b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8032040.exe

Filesize
404KB

MD5
08b4a3cecb462e1386f452470a3f56a7

SHA1
2dff04c642c1fad066ee5c73bc8f62c48ff77b23

SHA256
982d480071af917d1291de99e4adfe5a8cffe8588688e25179a193e71f79cb5e

SHA512
a9b5dd2db908f42c28ae60825fcede7d838512c23831c9aae31c0110edb5012954e1bf0290586b2fccaed3b886bfb10bdf98d0a0144f45cabb7aee4a4eee0b90

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8032040.exe

Filesize
404KB

MD5
08b4a3cecb462e1386f452470a3f56a7

SHA1
2dff04c642c1fad066ee5c73bc8f62c48ff77b23

SHA256
982d480071af917d1291de99e4adfe5a8cffe8588688e25179a193e71f79cb5e

SHA512
a9b5dd2db908f42c28ae60825fcede7d838512c23831c9aae31c0110edb5012954e1bf0290586b2fccaed3b886bfb10bdf98d0a0144f45cabb7aee4a4eee0b90

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9063393.exe

Filesize
365KB

MD5
77659e0b6ab0013a9afb037c815f198a

SHA1
d5a0ccbddb124604f89b0f672ec53a7acb9a2170

SHA256
0dc4fa773c6f4e34d0f85f727ebd648c0fbf252a9c0f216b670454996e1ddf4a

SHA512
486f95b33a5e1995c45dfa28f6389e2634408d9c8c25622afa72e95661ae9ddc95ae5e3271c39e1b34a29f186c1bdc9e270d5cdf6a04f963fa42f686b1ff3cfd

Download Submit
memory/2960-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads