d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9

Analysis

max time kernel
121s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
14-10-2023 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe
Size

1.1MB
MD5

f78b520c495fc204569b9de55614db15
SHA1

cf3ed2b5787c269118f5e349881dbddf0cc3167c
SHA256

d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9
SHA512

030b9e189369db12c1dbe8f08e498b30df7d3fc32a9bac100a59dfb6e687a04236261a85611b049e9d31a9a034b426ab92c9e3a0c96115230afb88c108962549
SSDEEP

24576:RygCyVZzWzab7qgV+JCq+lvC5a7oeFkVCeIPyb8iWEZ0EGWkeCI3p/C+B:E678g4Cq+lv/Le+yb8WGWkeCF+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
5012	mr6aB3Yq.exe
4984	Ep6kx5LD.exe
2680	Ya2cM0oi.exe
2344	gh9Km8YH.exe
208	1Wa01RO7.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ya2cM0oi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gh9Km8YH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mr6aB3Yq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ep6kx5LD.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 3900	208	1Wa01RO7.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
436	208	WerFault.exe	73
1076	3900	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 5012	4376	d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe	69
PID 4376 wrote to memory of 5012	4376	d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe	69
PID 4376 wrote to memory of 5012	4376	d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe	69
PID 5012 wrote to memory of 4984	5012	mr6aB3Yq.exe	70
PID 5012 wrote to memory of 4984	5012	mr6aB3Yq.exe	70
PID 5012 wrote to memory of 4984	5012	mr6aB3Yq.exe	70
PID 4984 wrote to memory of 2680	4984	Ep6kx5LD.exe	71
PID 4984 wrote to memory of 2680	4984	Ep6kx5LD.exe	71
PID 4984 wrote to memory of 2680	4984	Ep6kx5LD.exe	71
PID 2680 wrote to memory of 2344	2680	Ya2cM0oi.exe	72
PID 2680 wrote to memory of 2344	2680	Ya2cM0oi.exe	72
PID 2680 wrote to memory of 2344	2680	Ya2cM0oi.exe	72
PID 2344 wrote to memory of 208	2344	gh9Km8YH.exe	73
PID 2344 wrote to memory of 208	2344	gh9Km8YH.exe	73
PID 2344 wrote to memory of 208	2344	gh9Km8YH.exe	73
PID 208 wrote to memory of 4588	208	1Wa01RO7.exe	75
PID 208 wrote to memory of 4588	208	1Wa01RO7.exe	75
PID 208 wrote to memory of 4588	208	1Wa01RO7.exe	75
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76
PID 208 wrote to memory of 3900	208	1Wa01RO7.exe	76

C:\Users\Admin\AppData\Local\Temp\d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe
"C:\Users\Admin\AppData\Local\Temp\d2f3272108d1e3abd82520d2af25e446625078f5faf104304eef8753dcf361b9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6aB3Yq.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6aB3Yq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ep6kx5LD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ep6kx5LD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya2cM0oi.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya2cM0oi.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gh9Km8YH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gh9Km8YH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wa01RO7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wa01RO7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 568
        8⤵
        Program crash
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 576
        7⤵
        Program crash
        
        PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6aB3Yq.exe

Filesize
1008KB

MD5
5adeec3e7627f7db8072ae2c397c43ea

SHA1
14c61412c83ae4f35de07e6cb3ba82cef687099d

SHA256
bd0948463e09a551015d5f7b6004a0203b0a1e29e213180c85e6c5aeeae3992a

SHA512
7e877472ffe7c68f8b11b79be85eccc9a5f9d2c32431f58aec3e85d9084870eefd9e505d88b72385fb8315eaf0d84dce12a63f9c9fea775fe723a9f000cf1ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6aB3Yq.exe

Filesize
1008KB

MD5
5adeec3e7627f7db8072ae2c397c43ea

SHA1
14c61412c83ae4f35de07e6cb3ba82cef687099d

SHA256
bd0948463e09a551015d5f7b6004a0203b0a1e29e213180c85e6c5aeeae3992a

SHA512
7e877472ffe7c68f8b11b79be85eccc9a5f9d2c32431f58aec3e85d9084870eefd9e505d88b72385fb8315eaf0d84dce12a63f9c9fea775fe723a9f000cf1ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ep6kx5LD.exe

Filesize
820KB

MD5
1d8abc6c10c9da8213ec2b1e8395f7b5

SHA1
6571077eaab3fa2bc26772d2d4d3be29c1e223f6

SHA256
169dfc5f9df1bc3521fc6937f3dd7255db545350c0876eccac7a9285cb399d8d

SHA512
889f067ec1f667cabbdaba7d957da6d84ea1c07d1aba6b10c4155d7b9b62f1f3ae1a1031ba50a01662b211e9f199f4711914e0b2b44eeafb34605e8b9ea5068b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ep6kx5LD.exe

Filesize
820KB

MD5
1d8abc6c10c9da8213ec2b1e8395f7b5

SHA1
6571077eaab3fa2bc26772d2d4d3be29c1e223f6

SHA256
169dfc5f9df1bc3521fc6937f3dd7255db545350c0876eccac7a9285cb399d8d

SHA512
889f067ec1f667cabbdaba7d957da6d84ea1c07d1aba6b10c4155d7b9b62f1f3ae1a1031ba50a01662b211e9f199f4711914e0b2b44eeafb34605e8b9ea5068b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya2cM0oi.exe

Filesize
584KB

MD5
37c126bb610cc58ecd5da12ad4a58868

SHA1
3a7dede0986b54a4422f5177ac791b3e105d6f7a

SHA256
c5a66e36405487c162e0dc642dfdd4f1b564fea4ef202f733653cb449a66b981

SHA512
fc5ef3107f78fee9fb49f68559aa6601694c6432d2fd813e7f4cddf35bd678c04db21046870e5fccad60407dc9d351bff233363ef19d0cbd1dcd2b763fc22400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ya2cM0oi.exe

Filesize
584KB

MD5
37c126bb610cc58ecd5da12ad4a58868

SHA1
3a7dede0986b54a4422f5177ac791b3e105d6f7a

SHA256
c5a66e36405487c162e0dc642dfdd4f1b564fea4ef202f733653cb449a66b981

SHA512
fc5ef3107f78fee9fb49f68559aa6601694c6432d2fd813e7f4cddf35bd678c04db21046870e5fccad60407dc9d351bff233363ef19d0cbd1dcd2b763fc22400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gh9Km8YH.exe

Filesize
383KB

MD5
af4cd3c34ab1a6dfd47482572c8dd19d

SHA1
fba9a44801dd061c8d232c8a83323f9a93180fe6

SHA256
061a517de5019eecb1661da40eaeb59cc112d3c779aa31332cf12585933c4753

SHA512
4c8b54ebb4d16041500758b0858d390633da8e96bb6dc77988d05e28f74cf6e5c3b056a83c2cf9777afcb6a726defa534f2a3909d7e0bbe7e7641b5c9df0d7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gh9Km8YH.exe

Filesize
383KB

MD5
af4cd3c34ab1a6dfd47482572c8dd19d

SHA1
fba9a44801dd061c8d232c8a83323f9a93180fe6

SHA256
061a517de5019eecb1661da40eaeb59cc112d3c779aa31332cf12585933c4753

SHA512
4c8b54ebb4d16041500758b0858d390633da8e96bb6dc77988d05e28f74cf6e5c3b056a83c2cf9777afcb6a726defa534f2a3909d7e0bbe7e7641b5c9df0d7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wa01RO7.exe

Filesize
298KB

MD5
fd636db5da71f7e1d45697f630561887

SHA1
5380b858e05b4f296251bc201642fb25889849d5

SHA256
50088f7bd7f2bfcae202da22dc56e04bacf1954fefe93936032107353c37abb7

SHA512
5caedb28d0d778b0dcf4b8b26fbce05ac9cbb659a6d4aaace82197c482e505e1af69c6b321aa92d8d98aed408d049092ccbe7c10849813308c0178996339487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wa01RO7.exe

Filesize
298KB

MD5
fd636db5da71f7e1d45697f630561887

SHA1
5380b858e05b4f296251bc201642fb25889849d5

SHA256
50088f7bd7f2bfcae202da22dc56e04bacf1954fefe93936032107353c37abb7

SHA512
5caedb28d0d778b0dcf4b8b26fbce05ac9cbb659a6d4aaace82197c482e505e1af69c6b321aa92d8d98aed408d049092ccbe7c10849813308c0178996339487c

Download Submit
memory/3900-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3900-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3900-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3900-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads