7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696

Analysis

max time kernel
121s
max time network
188s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
15-10-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe
Size

1.1MB
MD5

ad688d9f35ef525148688c9101126af8
SHA1

40195cb0bf9cf9e3372b090c335c75e104cf7b75
SHA256

7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696
SHA512

7c8bd95ba5b4bf61a8d545af509250c8b4b8cf8fec7e39fd190a9bc5fddefacabd0778f37f802d5a8eb2ff8d3c9bf258430b8beec05a34d58fc4761497069ca4
SSDEEP

24576:Yyd48EigwPJmR3R8Vy6Hropvt3Y4eVWoh:fWhifJmRGVLr6vKj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

pG7SJ5Dj.exeaL1qO7mL.exenY8wu6Eu.exeir1EN2OE.exe1Ya43zX3.exe

pid process

3164 pG7SJ5Dj.exe
3600 aL1qO7mL.exe
3140 nY8wu6Eu.exe
4800 ir1EN2OE.exe
3120 1Ya43zX3.exe

pid	process
3164	pG7SJ5Dj.exe
3600	aL1qO7mL.exe
3140	nY8wu6Eu.exe
4800	ir1EN2OE.exe
3120	1Ya43zX3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nY8wu6Eu.exeir1EN2OE.exe7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exepG7SJ5Dj.exeaL1qO7mL.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nY8wu6Eu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ir1EN2OE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pG7SJ5Dj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aL1qO7mL.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Ya43zX3.exe

description pid process target process

PID 3120 set thread context of 1764 3120 1Ya43zX3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

220 3120 WerFault.exe 1Ya43zX3.exe
3908 1764 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 3120 set thread context of 1764	3120	1Ya43zX3.exe	AppLaunch.exe

pid	pid_target	process	target process
220	3120	WerFault.exe	1Ya43zX3.exe
3908	1764	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exepG7SJ5Dj.exeaL1qO7mL.exenY8wu6Eu.exeir1EN2OE.exe1Ya43zX3.exe

description	pid	process	target process
PID 2600 wrote to memory of 3164	2600	7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe	pG7SJ5Dj.exe
PID 2600 wrote to memory of 3164	2600	7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe	pG7SJ5Dj.exe
PID 2600 wrote to memory of 3164	2600	7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe	pG7SJ5Dj.exe
PID 3164 wrote to memory of 3600	3164	pG7SJ5Dj.exe	aL1qO7mL.exe
PID 3164 wrote to memory of 3600	3164	pG7SJ5Dj.exe	aL1qO7mL.exe
PID 3164 wrote to memory of 3600	3164	pG7SJ5Dj.exe	aL1qO7mL.exe
PID 3600 wrote to memory of 3140	3600	aL1qO7mL.exe	nY8wu6Eu.exe
PID 3600 wrote to memory of 3140	3600	aL1qO7mL.exe	nY8wu6Eu.exe
PID 3600 wrote to memory of 3140	3600	aL1qO7mL.exe	nY8wu6Eu.exe
PID 3140 wrote to memory of 4800	3140	nY8wu6Eu.exe	ir1EN2OE.exe
PID 3140 wrote to memory of 4800	3140	nY8wu6Eu.exe	ir1EN2OE.exe
PID 3140 wrote to memory of 4800	3140	nY8wu6Eu.exe	ir1EN2OE.exe
PID 4800 wrote to memory of 3120	4800	ir1EN2OE.exe	1Ya43zX3.exe
PID 4800 wrote to memory of 3120	4800	ir1EN2OE.exe	1Ya43zX3.exe
PID 4800 wrote to memory of 3120	4800	ir1EN2OE.exe	1Ya43zX3.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe
PID 3120 wrote to memory of 1764	3120	1Ya43zX3.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe
"C:\Users\Admin\AppData\Local\Temp\7f52a7c15b115ffc08fb8eff73cc3187faa6680f1df35cd7ad9b3b7c189f9696.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pG7SJ5Dj.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pG7SJ5Dj.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aL1qO7mL.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aL1qO7mL.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nY8wu6Eu.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nY8wu6Eu.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ir1EN2OE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ir1EN2OE.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ya43zX3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ya43zX3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 568
8⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 140
7⤵
- Program crash
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pG7SJ5Dj.exe

Filesize
1006KB

MD5
389d7cf7d1b8e40099fef6be3c50d55e

SHA1
20483a501d293148dc7f23124e62f3fe894d207a

SHA256
be0a182d59671abccba417340ec289bbd61f2dc7a4669388773d5aec03e31ccf

SHA512
ef5a9c7b6c144fc688191d069ad91c26a50c6726f3c7c944bfd7c8de2ca0ba7723e57ed2fad9fee6ccb26d9c6b26ac1e94e0a4fd00855624f40602ef6b1a3b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pG7SJ5Dj.exe

Filesize
1006KB

MD5
389d7cf7d1b8e40099fef6be3c50d55e

SHA1
20483a501d293148dc7f23124e62f3fe894d207a

SHA256
be0a182d59671abccba417340ec289bbd61f2dc7a4669388773d5aec03e31ccf

SHA512
ef5a9c7b6c144fc688191d069ad91c26a50c6726f3c7c944bfd7c8de2ca0ba7723e57ed2fad9fee6ccb26d9c6b26ac1e94e0a4fd00855624f40602ef6b1a3b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aL1qO7mL.exe

Filesize
817KB

MD5
14aff060ccd41859b6ffb6d4800052f0

SHA1
4fcbd1a5fee04085df695639824f02a79868c092

SHA256
7aad2cbe3c6059549e6ae09abaf8433d28b536e12e4415b190f8c17ca8ca1d07

SHA512
eb2dafb05fda30911f76cd7a48be8b23c79e7afd5c1218bdc76f6ee47fe28032e9e9367c1c76334d218f8c026593bb2c0d2bb689e55ebf06ee2b002441311e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aL1qO7mL.exe

Filesize
817KB

MD5
14aff060ccd41859b6ffb6d4800052f0

SHA1
4fcbd1a5fee04085df695639824f02a79868c092

SHA256
7aad2cbe3c6059549e6ae09abaf8433d28b536e12e4415b190f8c17ca8ca1d07

SHA512
eb2dafb05fda30911f76cd7a48be8b23c79e7afd5c1218bdc76f6ee47fe28032e9e9367c1c76334d218f8c026593bb2c0d2bb689e55ebf06ee2b002441311e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nY8wu6Eu.exe

Filesize
583KB

MD5
7a7e76a877023b9b5bf4122049701592

SHA1
8890eaefb620195f09e73c9a1a24d9854ae98a7d

SHA256
93a41ceec54d03ec333db31062755f332277f29f7365b6a04d91fb474b2fd38f

SHA512
169a8a768832cdaaab30533d4160534fd8c31e1fa8035ca4e731499caea8a54b12374b116c6671024286172eb93a6a4080cab33855290796e88e7b5177df403b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nY8wu6Eu.exe

Filesize
583KB

MD5
7a7e76a877023b9b5bf4122049701592

SHA1
8890eaefb620195f09e73c9a1a24d9854ae98a7d

SHA256
93a41ceec54d03ec333db31062755f332277f29f7365b6a04d91fb474b2fd38f

SHA512
169a8a768832cdaaab30533d4160534fd8c31e1fa8035ca4e731499caea8a54b12374b116c6671024286172eb93a6a4080cab33855290796e88e7b5177df403b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ir1EN2OE.exe

Filesize
382KB

MD5
c2c085abe21cc4eea14a741af3e37c86

SHA1
2165ffd91cceb405964ef077437e2a732c5fefc7

SHA256
70384922903ea237fb547a736c786ace96103c141f4c5541f8524babb68cdaca

SHA512
fb9b5d1b2a58498aff5fe6863296c013d5e88c60c83206c3409ac2dda980eb54de234aad882c422c7a88896dab8a73d3aa4d453988a8fcca9f15dcb0dd1f245a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ir1EN2OE.exe

Filesize
382KB

MD5
c2c085abe21cc4eea14a741af3e37c86

SHA1
2165ffd91cceb405964ef077437e2a732c5fefc7

SHA256
70384922903ea237fb547a736c786ace96103c141f4c5541f8524babb68cdaca

SHA512
fb9b5d1b2a58498aff5fe6863296c013d5e88c60c83206c3409ac2dda980eb54de234aad882c422c7a88896dab8a73d3aa4d453988a8fcca9f15dcb0dd1f245a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ya43zX3.exe

Filesize
295KB

MD5
b4925dccfbce1e9c139d0d0dabb0913f

SHA1
b5e5eb8a64a1d99a47f1f5be7722bc1bd04fa4be

SHA256
8f53ae7be6bf7914f67d450621b169de659543391a71b66df511ac7be2bcb1fc

SHA512
6e4c1a94f47a91ef29e852efdc5cb757192eb8474d2b3efcd388e153fd0614cf0d23d8444b50f445d41675d2318ea744f899ddcf2854ae80834c83bd973e304e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ya43zX3.exe

Filesize
295KB

MD5
b4925dccfbce1e9c139d0d0dabb0913f

SHA1
b5e5eb8a64a1d99a47f1f5be7722bc1bd04fa4be

SHA256
8f53ae7be6bf7914f67d450621b169de659543391a71b66df511ac7be2bcb1fc

SHA512
6e4c1a94f47a91ef29e852efdc5cb757192eb8474d2b3efcd388e153fd0614cf0d23d8444b50f445d41675d2318ea744f899ddcf2854ae80834c83bd973e304e

Download Submit
memory/1764-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1764-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1764-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1764-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download