e1b364eae5f33da2145fce7960de4bf426980fbeb7411ebd7670f4871d2d40ea

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24-10-2023 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iX8fX0qb.exe
Size

577KB
MD5

f48351d6ee642f4326f80587f9f6dd5b
SHA1

7646e2a15d0e878eb99156f25d785baed488f19a
SHA256

e1b364eae5f33da2145fce7960de4bf426980fbeb7411ebd7670f4871d2d40ea
SHA512

1e49895ad3b452754d4f176b105cad4aced4d62fa548b5d2d755e59eeff44ef3dc6033db07e049c1e1e3907695090fbc0cf5c01bccad07cdede596ed16553f66
SSDEEP

12288:JMrCy905FRfrjj22+5Wur7VMcdgyImohvKqsiyYItOdhZIJWKOVzmlf:PysR/6Wur7KUg9N5hsij4CZIJAz+f

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2856	GW7Pw9Ps.exe
2672	1FE19aI2.exe

Loads dropped DLL 9 IoCs

pid	Process
1212	iX8fX0qb.exe
2856	GW7Pw9Ps.exe
2856	GW7Pw9Ps.exe
2856	GW7Pw9Ps.exe
2672	1FE19aI2.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	iX8fX0qb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	GW7Pw9Ps.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2720	2672	1FE19aI2.exe	31

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2568	2672	WerFault.exe	29
2756	2720	WerFault.exe	31

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 1212 wrote to memory of 2856	1212	iX8fX0qb.exe	28
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2856 wrote to memory of 2672	2856	GW7Pw9Ps.exe	29
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2720	2672	1FE19aI2.exe	31
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2672 wrote to memory of 2568	2672	1FE19aI2.exe	32
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33
PID 2720 wrote to memory of 2756	2720	AppLaunch.exe	33

C:\Users\Admin\AppData\Local\Temp\iX8fX0qb.exe
"C:\Users\Admin\AppData\Local\Temp\iX8fX0qb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GW7Pw9Ps.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GW7Pw9Ps.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 268
        5⤵
        Program crash
        
        PID:2756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 268
      4⤵
      Loads dropped DLL
      Program crash
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GW7Pw9Ps.exe

Filesize
382KB

MD5
c280fff02b6cf761c13200f8180efa28

SHA1
e4085841678ed4daabc4023362a37a239887e4dd

SHA256
d4878f32763b903c54ee1695a3e40a271fef117b9ea7fac78f76ffd44b7f0684

SHA512
76f2b5f97da2378a3534a9ed7805ec21ce438c12366009b7aecba7db7eb46e5f2ef479d11ff6301cc76b85cc4c1ed1a8a1726b843ab7c0f241e23c6cdf603acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GW7Pw9Ps.exe

Filesize
382KB

MD5
c280fff02b6cf761c13200f8180efa28

SHA1
e4085841678ed4daabc4023362a37a239887e4dd

SHA256
d4878f32763b903c54ee1695a3e40a271fef117b9ea7fac78f76ffd44b7f0684

SHA512
76f2b5f97da2378a3534a9ed7805ec21ce438c12366009b7aecba7db7eb46e5f2ef479d11ff6301cc76b85cc4c1ed1a8a1726b843ab7c0f241e23c6cdf603acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\GW7Pw9Ps.exe

Filesize
382KB

MD5
c280fff02b6cf761c13200f8180efa28

SHA1
e4085841678ed4daabc4023362a37a239887e4dd

SHA256
d4878f32763b903c54ee1695a3e40a271fef117b9ea7fac78f76ffd44b7f0684

SHA512
76f2b5f97da2378a3534a9ed7805ec21ce438c12366009b7aecba7db7eb46e5f2ef479d11ff6301cc76b85cc4c1ed1a8a1726b843ab7c0f241e23c6cdf603acc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\GW7Pw9Ps.exe

Filesize
382KB

MD5
c280fff02b6cf761c13200f8180efa28

SHA1
e4085841678ed4daabc4023362a37a239887e4dd

SHA256
d4878f32763b903c54ee1695a3e40a271fef117b9ea7fac78f76ffd44b7f0684

SHA512
76f2b5f97da2378a3534a9ed7805ec21ce438c12366009b7aecba7db7eb46e5f2ef479d11ff6301cc76b85cc4c1ed1a8a1726b843ab7c0f241e23c6cdf603acc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE19aI2.exe

Filesize
295KB

MD5
5dd6d39d2b143f8e0bb8dc9209728bd2

SHA1
078640651473ba1cb518d8aaae98bad393c7ed8d

SHA256
54a61219451fe61444df272970c0614d5b60da3570ccf39af976ab3719845350

SHA512
c5cf8dd3bf8048a81de531759ef5138e217c1329431964885249b53ac0822dfcfb636086afc23bae03a867fd5c7a3922f0f3ea090a9441ae2c6a7cec46b50706

Download Submit
memory/2720-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads