abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc

Analysis

max time kernel
179s
max time network
286s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
15/10/2023, 22:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe
Size

1.1MB
MD5

1f30c9507319aa01de7ee0d69bde93b7
SHA1

724037fd1c126da939d18b520253478fe0ba9c50
SHA256

abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc
SHA512

a1de2e99c5764ee83cfc315ad21a6ada5790cb73f6a1168b7ac270e16efc81974dedca992d78a1f2b4f70afc816893e6ea6213e661735167471959559310dfab
SSDEEP

24576:kyBLAJ8kI92yt22KaIKNy1SHBfHIEiYCKB6jjjtV4+14fH:zBLAJKT3Ny1mfoK+Ht+g+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3696	Eq0lw1gj.exe
4340	wZ8tL6Xi.exe
2728	EJ2Xi4wt.exe
4236	zI0cj6xm.exe
2712	1lX46Ex4.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zI0cj6xm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Eq0lw1gj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wZ8tL6Xi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EJ2Xi4wt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 1220	2712	1lX46Ex4.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1180	2712	WerFault.exe	74
4144	1220	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3696	5024	abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe	70
PID 5024 wrote to memory of 3696	5024	abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe	70
PID 5024 wrote to memory of 3696	5024	abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe	70
PID 3696 wrote to memory of 4340	3696	Eq0lw1gj.exe	71
PID 3696 wrote to memory of 4340	3696	Eq0lw1gj.exe	71
PID 3696 wrote to memory of 4340	3696	Eq0lw1gj.exe	71
PID 4340 wrote to memory of 2728	4340	wZ8tL6Xi.exe	72
PID 4340 wrote to memory of 2728	4340	wZ8tL6Xi.exe	72
PID 4340 wrote to memory of 2728	4340	wZ8tL6Xi.exe	72
PID 2728 wrote to memory of 4236	2728	EJ2Xi4wt.exe	73
PID 2728 wrote to memory of 4236	2728	EJ2Xi4wt.exe	73
PID 2728 wrote to memory of 4236	2728	EJ2Xi4wt.exe	73
PID 4236 wrote to memory of 2712	4236	zI0cj6xm.exe	74
PID 4236 wrote to memory of 2712	4236	zI0cj6xm.exe	74
PID 4236 wrote to memory of 2712	4236	zI0cj6xm.exe	74
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76
PID 2712 wrote to memory of 1220	2712	1lX46Ex4.exe	76

C:\Users\Admin\AppData\Local\Temp\abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe
"C:\Users\Admin\AppData\Local\Temp\abc45a32826a88399d284f4ad3a1e1cb163b4cd1117997cea2a8e817a5dfe5cc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eq0lw1gj.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eq0lw1gj.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ8tL6Xi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ8tL6Xi.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EJ2Xi4wt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EJ2Xi4wt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zI0cj6xm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zI0cj6xm.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lX46Ex4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lX46Ex4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 568
        8⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 152
        7⤵
        Program crash
        
        PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eq0lw1gj.exe

Filesize
1008KB

MD5
2ae2faedc17487768a5b388a23a05ae0

SHA1
8a927f5f92baf4bae87bf76a8e07a7e6eca4d2b0

SHA256
f1d3f0ded263588995f816763205ca97ad60f2efe643f1ddd5479b3ce7a97f45

SHA512
977523c4eb314a8f17c43959ade0d666e94714f36f1a451057220baddbf912e7d3fad10e83ca8db2315d96fb710ad0d1e6bcfdd2ba47f142d5f1a1d9ab818929

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eq0lw1gj.exe

Filesize
1008KB

MD5
2ae2faedc17487768a5b388a23a05ae0

SHA1
8a927f5f92baf4bae87bf76a8e07a7e6eca4d2b0

SHA256
f1d3f0ded263588995f816763205ca97ad60f2efe643f1ddd5479b3ce7a97f45

SHA512
977523c4eb314a8f17c43959ade0d666e94714f36f1a451057220baddbf912e7d3fad10e83ca8db2315d96fb710ad0d1e6bcfdd2ba47f142d5f1a1d9ab818929

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ8tL6Xi.exe

Filesize
819KB

MD5
29c93c8b5f12281a7e2c336e10c0db6a

SHA1
6f35d325fda6cf040532d4d6df17b3ada4691cbf

SHA256
edeaf80a820cf75fd36d12a9a0086fc1e8679be23efbf081164161543bdebc58

SHA512
0e468a2000ea300a06f420ffc81aaa91d91f0280b8fe2c4c95331b3a2f3451d1042d454cd1433f9700dc68ddb788a4181f35d5d9a6fa87bbe773b4f81cbe95b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ8tL6Xi.exe

Filesize
819KB

MD5
29c93c8b5f12281a7e2c336e10c0db6a

SHA1
6f35d325fda6cf040532d4d6df17b3ada4691cbf

SHA256
edeaf80a820cf75fd36d12a9a0086fc1e8679be23efbf081164161543bdebc58

SHA512
0e468a2000ea300a06f420ffc81aaa91d91f0280b8fe2c4c95331b3a2f3451d1042d454cd1433f9700dc68ddb788a4181f35d5d9a6fa87bbe773b4f81cbe95b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EJ2Xi4wt.exe

Filesize
584KB

MD5
a3995e81081dbd20e1c536dcf0495214

SHA1
bd928ee2f415c324630fe37cdd3440a1106bb149

SHA256
3d96c1d36cfe16ea5d63cbfe8dd0b10579fcc8ded815259b3a6cbcf5ab12fe59

SHA512
b0ac698cce5efc523922d426132be3a4596909ee073412882ca5b4636c3061badab406b1425e76b723c3f876a09f1c091095922fdc3d59834b0c51189dc0835c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EJ2Xi4wt.exe

Filesize
584KB

MD5
a3995e81081dbd20e1c536dcf0495214

SHA1
bd928ee2f415c324630fe37cdd3440a1106bb149

SHA256
3d96c1d36cfe16ea5d63cbfe8dd0b10579fcc8ded815259b3a6cbcf5ab12fe59

SHA512
b0ac698cce5efc523922d426132be3a4596909ee073412882ca5b4636c3061badab406b1425e76b723c3f876a09f1c091095922fdc3d59834b0c51189dc0835c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zI0cj6xm.exe

Filesize
383KB

MD5
a9ba30cb4546e2108ff9f0b3deba4592

SHA1
8da4393edca8a4de772f17af7c39dd1e59c19be5

SHA256
f6d018ee6aebb715b7b0c91929e7a7d5167d03a3cf0506c66e66f4eacb1ffb14

SHA512
aede78891da94ab4c91ea6a35ade72e84e9ae3bf1b92d1aa68fd1f4fbd314549437f8e78192584418e82974be486e3d8e7221025c76672604e663468c3ba49ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zI0cj6xm.exe

Filesize
383KB

MD5
a9ba30cb4546e2108ff9f0b3deba4592

SHA1
8da4393edca8a4de772f17af7c39dd1e59c19be5

SHA256
f6d018ee6aebb715b7b0c91929e7a7d5167d03a3cf0506c66e66f4eacb1ffb14

SHA512
aede78891da94ab4c91ea6a35ade72e84e9ae3bf1b92d1aa68fd1f4fbd314549437f8e78192584418e82974be486e3d8e7221025c76672604e663468c3ba49ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lX46Ex4.exe

Filesize
298KB

MD5
01405791c19a87de571dff61049f1fac

SHA1
4a885ed5ae8d868e8de1830947544abf8f39e921

SHA256
8b27270ea965fef81792b2c8e7dd60bcf07f07d757d999b9e34380de8bd19a69

SHA512
859a9f14f4fe44959c01e70d90ba8dbca1b587538b3b7f3cd2bb93698c88e8d3ed293ff8eaaa2c037011f412284a45fd504c04e7a6615c63c9549e6e5ec84800

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lX46Ex4.exe

Filesize
298KB

MD5
01405791c19a87de571dff61049f1fac

SHA1
4a885ed5ae8d868e8de1830947544abf8f39e921

SHA256
8b27270ea965fef81792b2c8e7dd60bcf07f07d757d999b9e34380de8bd19a69

SHA512
859a9f14f4fe44959c01e70d90ba8dbca1b587538b3b7f3cd2bb93698c88e8d3ed293ff8eaaa2c037011f412284a45fd504c04e7a6615c63c9549e6e5ec84800

Download Submit
memory/1220-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads