5d17b3549508ff7bb9a0cec7c3d76bfa691d038f249b567e6316b5d0040e630a

General

Target

AX4Ts1ev.exe
Size

1.3MB
MD5

88d3384a7f296adb53c425d6b1b2f1d6
SHA1

9194d531a81d8967d1f9736b579b4ac0715cf468
SHA256

5d17b3549508ff7bb9a0cec7c3d76bfa691d038f249b567e6316b5d0040e630a
SHA512

7112205d86adf36673fcebe05a982d2d74f34845da49b0358c17df946cac0be1657454cd71b6404351bd9629f7571dec1d97ee67f46b2c5596a8c45cacdd6f96
SSDEEP

24576:KyX1bmzeGguLwnzZYe+iLmsLU3Hjo1LSZbRWJ4qerrrKWvqWN6:RFOeGgmwnsgCjo1LSxi4qer+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3984	Yg2oW1Dw.exe
3308	XC5me1Dl.exe
708	wG3Fc0pp.exe
2708	1tP28dB4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Yg2oW1Dw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	XC5me1Dl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	wG3Fc0pp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AX4Ts1ev.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 4964	2708	1tP28dB4.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3336	2708	WerFault.exe	74
4284	4964	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 3984	712	AX4Ts1ev.exe	71
PID 712 wrote to memory of 3984	712	AX4Ts1ev.exe	71
PID 712 wrote to memory of 3984	712	AX4Ts1ev.exe	71
PID 3984 wrote to memory of 3308	3984	Yg2oW1Dw.exe	72
PID 3984 wrote to memory of 3308	3984	Yg2oW1Dw.exe	72
PID 3984 wrote to memory of 3308	3984	Yg2oW1Dw.exe	72
PID 3308 wrote to memory of 708	3308	XC5me1Dl.exe	73
PID 3308 wrote to memory of 708	3308	XC5me1Dl.exe	73
PID 3308 wrote to memory of 708	3308	XC5me1Dl.exe	73
PID 708 wrote to memory of 2708	708	wG3Fc0pp.exe	74
PID 708 wrote to memory of 2708	708	wG3Fc0pp.exe	74
PID 708 wrote to memory of 2708	708	wG3Fc0pp.exe	74
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75
PID 2708 wrote to memory of 4964	2708	1tP28dB4.exe	75

C:\Users\Admin\AppData\Local\Temp\AX4Ts1ev.exe
"C:\Users\Admin\AppData\Local\Temp\AX4Ts1ev.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yg2oW1Dw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yg2oW1Dw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XC5me1Dl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XC5me1Dl.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wG3Fc0pp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wG3Fc0pp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tP28dB4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tP28dB4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 568
        7⤵
        Program crash
        
        PID:4284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 588
        6⤵
        Program crash
        
        PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yg2oW1Dw.exe

Filesize
1.2MB

MD5
eee34328bb3f3fee84a94350e9a99c2d

SHA1
dc535c516a8b4396f87f744b09d85175e7edbd3b

SHA256
3f5486a0ce82dde4f3c1d6181558f29876c64377170224878a702c233defa5a1

SHA512
d3c79aa9d07e4b75ce2afd6b18192f481af4b5344c33dd479ddc33fbc28a0dfc18854f9c131cb96ff3a0d79ac18f084d79b8176713d65ccf4f7b2dd6d233a03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yg2oW1Dw.exe

Filesize
1.2MB

MD5
eee34328bb3f3fee84a94350e9a99c2d

SHA1
dc535c516a8b4396f87f744b09d85175e7edbd3b

SHA256
3f5486a0ce82dde4f3c1d6181558f29876c64377170224878a702c233defa5a1

SHA512
d3c79aa9d07e4b75ce2afd6b18192f481af4b5344c33dd479ddc33fbc28a0dfc18854f9c131cb96ff3a0d79ac18f084d79b8176713d65ccf4f7b2dd6d233a03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XC5me1Dl.exe

Filesize
763KB

MD5
971d5e49d9713273073628de4343a109

SHA1
7425592dc829a4013fd85329b7d5e589fb6e6fe3

SHA256
ac6b28cb0fa0fd1e0e5e4398b853842d7a2629a2f117a2eb0b70c1bdc9bca235

SHA512
1b4084dd98a5ae55a59aaf80bc486aabd8bb53e3832ca402ed0aeb9fb1b1313aa2c2e6a893e293c9851ad3f8e7c5e61ac90231b79c9e2eb9883872efdca947db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XC5me1Dl.exe

Filesize
763KB

MD5
971d5e49d9713273073628de4343a109

SHA1
7425592dc829a4013fd85329b7d5e589fb6e6fe3

SHA256
ac6b28cb0fa0fd1e0e5e4398b853842d7a2629a2f117a2eb0b70c1bdc9bca235

SHA512
1b4084dd98a5ae55a59aaf80bc486aabd8bb53e3832ca402ed0aeb9fb1b1313aa2c2e6a893e293c9851ad3f8e7c5e61ac90231b79c9e2eb9883872efdca947db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
memory/4964-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads