ac6b28cb0fa0fd1e0e5e4398b853842d7a2629a2f117a2eb0b70c1bdc9bca235

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30/10/2023, 05:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XC5me1Dl.exe
Size

763KB
MD5

971d5e49d9713273073628de4343a109
SHA1

7425592dc829a4013fd85329b7d5e589fb6e6fe3
SHA256

ac6b28cb0fa0fd1e0e5e4398b853842d7a2629a2f117a2eb0b70c1bdc9bca235
SHA512

1b4084dd98a5ae55a59aaf80bc486aabd8bb53e3832ca402ed0aeb9fb1b1313aa2c2e6a893e293c9851ad3f8e7c5e61ac90231b79c9e2eb9883872efdca947db
SSDEEP

12288:pMrky90ZbTJhWrBMZraubTqiLUxCLE3mepmOCT28XFS3IZ0m2PZHpaxjzWds:tyQvWr6ZxTqiLUMLE38h6k7qZgBWm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	wG3Fc0pp.exe
2076	1tP28dB4.exe

Loads dropped DLL 8 IoCs

pid	Process
2212	XC5me1Dl.exe
2640	wG3Fc0pp.exe
2640	wG3Fc0pp.exe
2640	wG3Fc0pp.exe
2076	1tP28dB4.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	XC5me1Dl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wG3Fc0pp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2708	2076	1tP28dB4.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2704	2076	WerFault.exe	29
2664	2708	WerFault.exe	30

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2212 wrote to memory of 2640	2212	XC5me1Dl.exe	28
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2640 wrote to memory of 2076	2640	wG3Fc0pp.exe	29
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2076 wrote to memory of 2708	2076	1tP28dB4.exe	30
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2708 wrote to memory of 2664	2708	AppLaunch.exe	32
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31
PID 2076 wrote to memory of 2704	2076	1tP28dB4.exe	31

C:\Users\Admin\AppData\Local\Temp\XC5me1Dl.exe
"C:\Users\Admin\AppData\Local\Temp\XC5me1Dl.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 268
        5⤵
        Program crash
        
        PID:2664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
memory/2708-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads