b7215d29651d883138e7000f2568418b02cb62350924f78ec75b7c7f0d3a9a72

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

506KB
MD5

0f724d78d4a65272ac085236c9caf06b
SHA1

9449892f318709e1abfd33dd059dbdd1de8a0392
SHA256

b7215d29651d883138e7000f2568418b02cb62350924f78ec75b7c7f0d3a9a72
SHA512

6c4e203e8de1c30cb4fc417fb55887adb80682f1c24ff7f2a8786a7ca179369cdbe4c16fbbe0efc154eaac741ff62c3d81132fd2a8f8125613ac1df4ba678ba5
SSDEEP

12288:qMriy90OWwCjyUi0kYkqnDIw4M0/2+Vlnw+Q1:0yywmyUigbDIw7AZQ1

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2068	v8951797.exe
2264	b1432077.exe

Loads dropped DLL 8 IoCs

pid	Process
2972	file.exe
2068	v8951797.exe
2068	v8951797.exe
2264	b1432077.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8951797.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 2624	2264	b1432077.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2760	2264	WerFault.exe	29
2636	2624	WerFault.exe	30

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2972 wrote to memory of 2068	2972	file.exe	28
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2068 wrote to memory of 2264	2068	v8951797.exe	29
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2264 wrote to memory of 2624	2264	b1432077.exe	30
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2624 wrote to memory of 2636	2624	AppLaunch.exe	32
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31
PID 2264 wrote to memory of 2760	2264	b1432077.exe	31

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 268
        5⤵
        Program crash
        
        PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe

Filesize
404KB

MD5
f450161c6fbfb5e27aaab5d37245a5f6

SHA1
1b2fd749a55efcbff0663ae81deaee1e32f49bdb

SHA256
c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c

SHA512
804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe

Filesize
404KB

MD5
f450161c6fbfb5e27aaab5d37245a5f6

SHA1
1b2fd749a55efcbff0663ae81deaee1e32f49bdb

SHA256
c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c

SHA512
804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe

Filesize
404KB

MD5
f450161c6fbfb5e27aaab5d37245a5f6

SHA1
1b2fd749a55efcbff0663ae81deaee1e32f49bdb

SHA256
c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c

SHA512
804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe

Filesize
404KB

MD5
f450161c6fbfb5e27aaab5d37245a5f6

SHA1
1b2fd749a55efcbff0663ae81deaee1e32f49bdb

SHA256
c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c

SHA512
804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
memory/2624-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads