a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4

Analysis

max time kernel
127s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16-10-2023 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe
Size

1.1MB
MD5

6caef61be87a3fbda6956973cf463a4c
SHA1

2a09667e002cc72fbdc8575f405e1e2e806f5cbe
SHA256

a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4
SHA512

d4935717c0df85c0eb240bd0217de28bab519b3764800ed052f139be4410f6cac30fbb704f220fbabebfee844214d4cf3a910603dd28b6ff590788cd4bb293b3
SSDEEP

24576:Eyvi5t3rLoIx921KwZbsVoXl3mKtFv0llNF+IJ1qnJoo4HLV:Tvi3X21KwZbsVGl3Fv07NIdJh4r

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2624	lm0Fc4iM.exe
820	wZ3tU2UR.exe
4456	AO1DH3Uk.exe
3708	dX0NG9zc.exe
1912	1eR20Fb5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dX0NG9zc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lm0Fc4iM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wZ3tU2UR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AO1DH3Uk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 1916	1912	1eR20Fb5.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4892	1912	WerFault.exe	74
4500	1916	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2624	3384	a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe	70
PID 3384 wrote to memory of 2624	3384	a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe	70
PID 3384 wrote to memory of 2624	3384	a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe	70
PID 2624 wrote to memory of 820	2624	lm0Fc4iM.exe	71
PID 2624 wrote to memory of 820	2624	lm0Fc4iM.exe	71
PID 2624 wrote to memory of 820	2624	lm0Fc4iM.exe	71
PID 820 wrote to memory of 4456	820	wZ3tU2UR.exe	72
PID 820 wrote to memory of 4456	820	wZ3tU2UR.exe	72
PID 820 wrote to memory of 4456	820	wZ3tU2UR.exe	72
PID 4456 wrote to memory of 3708	4456	AO1DH3Uk.exe	73
PID 4456 wrote to memory of 3708	4456	AO1DH3Uk.exe	73
PID 4456 wrote to memory of 3708	4456	AO1DH3Uk.exe	73
PID 3708 wrote to memory of 1912	3708	dX0NG9zc.exe	74
PID 3708 wrote to memory of 1912	3708	dX0NG9zc.exe	74
PID 3708 wrote to memory of 1912	3708	dX0NG9zc.exe	74
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76
PID 1912 wrote to memory of 1916	1912	1eR20Fb5.exe	76

C:\Users\Admin\AppData\Local\Temp\a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe
"C:\Users\Admin\AppData\Local\Temp\a0792d2e1cb4c75b93b4414a02df18cd2efcf93c8b701839f352805846b03dc4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lm0Fc4iM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lm0Fc4iM.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ3tU2UR.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ3tU2UR.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO1DH3Uk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO1DH3Uk.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dX0NG9zc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dX0NG9zc.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eR20Fb5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eR20Fb5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 568
        8⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 140
        7⤵
        Program crash
        
        PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lm0Fc4iM.exe

Filesize
999KB

MD5
2255f0cf312947b1b24d868d4fa960d9

SHA1
7a52933fe98087acbb1e9b6b321f6accde353a20

SHA256
46c57419a63336405595773a76200a153060938ce9ceeaf2667b7f1d66c5c606

SHA512
7531c2afe6bafb98dc7c7ddab87eae337094764a70e5f30f4f4de3a133ea9ecae8778bfab5cbdae1e6dabbf5588831699e32927180cabffcb633337ccd001e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lm0Fc4iM.exe

Filesize
999KB

MD5
2255f0cf312947b1b24d868d4fa960d9

SHA1
7a52933fe98087acbb1e9b6b321f6accde353a20

SHA256
46c57419a63336405595773a76200a153060938ce9ceeaf2667b7f1d66c5c606

SHA512
7531c2afe6bafb98dc7c7ddab87eae337094764a70e5f30f4f4de3a133ea9ecae8778bfab5cbdae1e6dabbf5588831699e32927180cabffcb633337ccd001e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ3tU2UR.exe

Filesize
811KB

MD5
edaafc18f57427bd7d915524c1d6fefe

SHA1
b6e2af84be37e72b306568e7cf0321fc7b25b355

SHA256
96c157eeb600c804d5b0fe30fcbef13c9d41f5131f74ae06c48bbad25711b04b

SHA512
c2573307bcc03566a7053db397b690a0136e5b0245652ea69e41f9e0ceb23d81c31a02e2865fcf851880e159b23ae924597021368f6bc4ccf3df2bcd2d5dcf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wZ3tU2UR.exe

Filesize
811KB

MD5
edaafc18f57427bd7d915524c1d6fefe

SHA1
b6e2af84be37e72b306568e7cf0321fc7b25b355

SHA256
96c157eeb600c804d5b0fe30fcbef13c9d41f5131f74ae06c48bbad25711b04b

SHA512
c2573307bcc03566a7053db397b690a0136e5b0245652ea69e41f9e0ceb23d81c31a02e2865fcf851880e159b23ae924597021368f6bc4ccf3df2bcd2d5dcf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO1DH3Uk.exe

Filesize
578KB

MD5
3646377255e7bf66fc72a68a42a3d10c

SHA1
cefe45aa5e0cf84357f245a031d943d694194725

SHA256
b21dfbc5ae551fc8ebcccde9a8b4a3fd2811c5063d97e0512c9324485b54790c

SHA512
02cb7c25c882ce3f15086decbf72c2a3610081c4d80c55dd15c5abb38f05e1f7188517330d165f1565c54430b63020226dc6a6cacfd4445d043890a4ef51fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO1DH3Uk.exe

Filesize
578KB

MD5
3646377255e7bf66fc72a68a42a3d10c

SHA1
cefe45aa5e0cf84357f245a031d943d694194725

SHA256
b21dfbc5ae551fc8ebcccde9a8b4a3fd2811c5063d97e0512c9324485b54790c

SHA512
02cb7c25c882ce3f15086decbf72c2a3610081c4d80c55dd15c5abb38f05e1f7188517330d165f1565c54430b63020226dc6a6cacfd4445d043890a4ef51fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dX0NG9zc.exe

Filesize
382KB

MD5
5d739a0072209bb1d7b4f8ae84600b2c

SHA1
492df1d593a76fb20cb3670dccdeb9077191eb0c

SHA256
e1285ff0268fc32c3ae684d493b1aca539a48e4356fc46d3257f64e45b24e1d0

SHA512
3931b924977db853107454a32431863037e59aee4ad53ad7b181bb08fe51ceaa996d844301ea42b8a36be0bcf45ff9960d13e3ded07fe87aa86a69789098b701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dX0NG9zc.exe

Filesize
382KB

MD5
5d739a0072209bb1d7b4f8ae84600b2c

SHA1
492df1d593a76fb20cb3670dccdeb9077191eb0c

SHA256
e1285ff0268fc32c3ae684d493b1aca539a48e4356fc46d3257f64e45b24e1d0

SHA512
3931b924977db853107454a32431863037e59aee4ad53ad7b181bb08fe51ceaa996d844301ea42b8a36be0bcf45ff9960d13e3ded07fe87aa86a69789098b701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eR20Fb5.exe

Filesize
295KB

MD5
a91ce14a556aa65b82658c28f714592d

SHA1
ca8399e233ce312ed6b0ce5b8b2b899d40bd23c9

SHA256
b2bce2a91a78d8ea5645f45c93ea42ead09be3ee1678544bd7d82ebf84bd2e93

SHA512
1aa41d1c49a9aaa2972034b32208061fb9f09e3d749bd68920452ab1491b363e1bce218dbfd3fc31fae9e071ab896f59f9a5dfd5fb4635109cb9e6a87592b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eR20Fb5.exe

Filesize
295KB

MD5
a91ce14a556aa65b82658c28f714592d

SHA1
ca8399e233ce312ed6b0ce5b8b2b899d40bd23c9

SHA256
b2bce2a91a78d8ea5645f45c93ea42ead09be3ee1678544bd7d82ebf84bd2e93

SHA512
1aa41d1c49a9aaa2972034b32208061fb9f09e3d749bd68920452ab1491b363e1bce218dbfd3fc31fae9e071ab896f59f9a5dfd5fb4635109cb9e6a87592b66e

Download Submit
memory/1916-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1916-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1916-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1916-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads