8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c

Analysis

max time kernel
91s
max time network
103s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
12/10/2023, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe
Size

1.5MB
MD5

cbe89c69ee00dc12f76a04b36b6aba7b
SHA1

492754afb227ad056c3074c5cef4fac0732e96de
SHA256

8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c
SHA512

5375a2eb9aaf1b2ee61c3bb8bfab29bb1965e25c8b0ec5d35c9d1c78d5f9794e322e391c71f6640bc84b4fbd195546cea059b1419afe1a39df3e2375a0708aaa
SSDEEP

49152:dbqpYDKQjP8gcKtCfZMrMK0K7BK9F8GQ:RqG+q8D/bKl1K9uP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
756	ax8VF8SJ.exe
2088	Yw9tj2Qg.exe
4408	RC4GE7pU.exe
3852	pd2Hn0vT.exe
3548	1pk26yB2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Yw9tj2Qg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RC4GE7pU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pd2Hn0vT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ax8VF8SJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 4704	3548	1pk26yB2.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2900	3548	WerFault.exe	73
1444	4704	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 756	3312	8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe	69
PID 3312 wrote to memory of 756	3312	8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe	69
PID 3312 wrote to memory of 756	3312	8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe	69
PID 756 wrote to memory of 2088	756	ax8VF8SJ.exe	70
PID 756 wrote to memory of 2088	756	ax8VF8SJ.exe	70
PID 756 wrote to memory of 2088	756	ax8VF8SJ.exe	70
PID 2088 wrote to memory of 4408	2088	Yw9tj2Qg.exe	71
PID 2088 wrote to memory of 4408	2088	Yw9tj2Qg.exe	71
PID 2088 wrote to memory of 4408	2088	Yw9tj2Qg.exe	71
PID 4408 wrote to memory of 3852	4408	RC4GE7pU.exe	72
PID 4408 wrote to memory of 3852	4408	RC4GE7pU.exe	72
PID 4408 wrote to memory of 3852	4408	RC4GE7pU.exe	72
PID 3852 wrote to memory of 3548	3852	pd2Hn0vT.exe	73
PID 3852 wrote to memory of 3548	3852	pd2Hn0vT.exe	73
PID 3852 wrote to memory of 3548	3852	pd2Hn0vT.exe	73
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75
PID 3548 wrote to memory of 4704	3548	1pk26yB2.exe	75

C:\Users\Admin\AppData\Local\Temp\8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe
"C:\Users\Admin\AppData\Local\Temp\8067560779b0028cfc3c9a8234fbfbd570f7393430fb38dc497872f9321cac6c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax8VF8SJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax8VF8SJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yw9tj2Qg.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yw9tj2Qg.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC4GE7pU.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC4GE7pU.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pd2Hn0vT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pd2Hn0vT.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pk26yB2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pk26yB2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 568
        8⤵
        Program crash
        
        PID:1444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 148
        7⤵
        Program crash
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax8VF8SJ.exe

Filesize
1.4MB

MD5
e496ee6dd8b7946d9c06ae99fe0af60d

SHA1
4608af73daa6d284ceeb43a33e98b4dd1ce0bd50

SHA256
6549727a3bd0da4d56b9e82f34f069e57355490ba1bed4bc890f2c12f11f5970

SHA512
350839649e8d27a4fe97953e23ffee83a1d8ba3d48e7816a1d410e7e9ea3aad506b8f7409b8f188c8fe1e0447d069dce0fae5fb39efd35243ad2dee8fb7db187

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax8VF8SJ.exe

Filesize
1.4MB

MD5
e496ee6dd8b7946d9c06ae99fe0af60d

SHA1
4608af73daa6d284ceeb43a33e98b4dd1ce0bd50

SHA256
6549727a3bd0da4d56b9e82f34f069e57355490ba1bed4bc890f2c12f11f5970

SHA512
350839649e8d27a4fe97953e23ffee83a1d8ba3d48e7816a1d410e7e9ea3aad506b8f7409b8f188c8fe1e0447d069dce0fae5fb39efd35243ad2dee8fb7db187

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yw9tj2Qg.exe

Filesize
1.2MB

MD5
af880e1cd4369cab8d0c397781f7dbf5

SHA1
74fc3d6d159978838a711bf74fc1af9db7fea973

SHA256
74ea61c35aa339475ab43014124938e71c23125e9fb366689c7fbb94a934138d

SHA512
eb86df0f272c61f200f6cf32c2d160c2d203d893106ce444d59f588b2b191354ead62d83ecfe46b4740c67ac41a8fc91f06c2efa34cf08b0c00542a65c6de419

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yw9tj2Qg.exe

Filesize
1.2MB

MD5
af880e1cd4369cab8d0c397781f7dbf5

SHA1
74fc3d6d159978838a711bf74fc1af9db7fea973

SHA256
74ea61c35aa339475ab43014124938e71c23125e9fb366689c7fbb94a934138d

SHA512
eb86df0f272c61f200f6cf32c2d160c2d203d893106ce444d59f588b2b191354ead62d83ecfe46b4740c67ac41a8fc91f06c2efa34cf08b0c00542a65c6de419

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC4GE7pU.exe

Filesize
776KB

MD5
a9091237ea8658c66cc32bbf65d05428

SHA1
a8a00d8b5fd44367f4fd761c56a9d2cf2b748622

SHA256
f2a7a803514f5cb36ca9966cfb04cb6c1c22d5037c005a20d164c331f21ba147

SHA512
cb5ccbd438fe2cab3048c96d31ffcd67b924f422c0e4299a01f687aa616fbf0dcb97f1025fb0dcec86f1b6889abe47d19100dc9391db11f4a302f2e829df716a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC4GE7pU.exe

Filesize
776KB

MD5
a9091237ea8658c66cc32bbf65d05428

SHA1
a8a00d8b5fd44367f4fd761c56a9d2cf2b748622

SHA256
f2a7a803514f5cb36ca9966cfb04cb6c1c22d5037c005a20d164c331f21ba147

SHA512
cb5ccbd438fe2cab3048c96d31ffcd67b924f422c0e4299a01f687aa616fbf0dcb97f1025fb0dcec86f1b6889abe47d19100dc9391db11f4a302f2e829df716a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pd2Hn0vT.exe

Filesize
580KB

MD5
0c708c40c9adf34fe1cdbc8f5b0681f6

SHA1
4970347b4b4a36b7951345d1f76ae97abd8d91b7

SHA256
fa29fdb99899c3e0b8d4320ad92f1aef069b59b12299f8602bce0a3cd86c7155

SHA512
d05273d87b8c324c5c468e3d3c0034989244f8f58b8d71c0523f63a510c8b66e64b7deeec6fbb24ef74be666c49b4c2c2a697f5c18d86f2ce10dc39ac5d0f43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pd2Hn0vT.exe

Filesize
580KB

MD5
0c708c40c9adf34fe1cdbc8f5b0681f6

SHA1
4970347b4b4a36b7951345d1f76ae97abd8d91b7

SHA256
fa29fdb99899c3e0b8d4320ad92f1aef069b59b12299f8602bce0a3cd86c7155

SHA512
d05273d87b8c324c5c468e3d3c0034989244f8f58b8d71c0523f63a510c8b66e64b7deeec6fbb24ef74be666c49b4c2c2a697f5c18d86f2ce10dc39ac5d0f43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pk26yB2.exe

Filesize
1.1MB

MD5
fc290b8aacf0380f8fa07f5937700dad

SHA1
91f667c09b9a504bc75a983b586c3b1a29221c3b

SHA256
6c1a83c1e2991ec1782559967e687aabb2ca6b052832fa4cea3d4f75f56b40c4

SHA512
614c95bb1c0731ace2a6e3458f1cbbb864728759a80a155827a94e72051d5bb2ef48a5bc5f9da6fa275ca352347ae32ceb3620a403cd4babe1b9fb720b600d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pk26yB2.exe

Filesize
1.1MB

MD5
fc290b8aacf0380f8fa07f5937700dad

SHA1
91f667c09b9a504bc75a983b586c3b1a29221c3b

SHA256
6c1a83c1e2991ec1782559967e687aabb2ca6b052832fa4cea3d4f75f56b40c4

SHA512
614c95bb1c0731ace2a6e3458f1cbbb864728759a80a155827a94e72051d5bb2ef48a5bc5f9da6fa275ca352347ae32ceb3620a403cd4babe1b9fb720b600d51

Download Submit
memory/4704-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads