ac6b28cb0fa0fd1e0e5e4398b853842d7a2629a2f117a2eb0b70c1bdc9bca235

General

Target

XC5me1Dl.exe
Size

763KB
MD5

971d5e49d9713273073628de4343a109
SHA1

7425592dc829a4013fd85329b7d5e589fb6e6fe3
SHA256

ac6b28cb0fa0fd1e0e5e4398b853842d7a2629a2f117a2eb0b70c1bdc9bca235
SHA512

1b4084dd98a5ae55a59aaf80bc486aabd8bb53e3832ca402ed0aeb9fb1b1313aa2c2e6a893e293c9851ad3f8e7c5e61ac90231b79c9e2eb9883872efdca947db
SSDEEP

12288:pMrky90ZbTJhWrBMZraubTqiLUxCLE3mepmOCT28XFS3IZ0m2PZHpaxjzWds:tyQvWr6ZxTqiLUMLE38h6k7qZgBWm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1544	wG3Fc0pp.exe
1568	1tP28dB4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wG3Fc0pp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	XC5me1Dl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 2708	1568	1tP28dB4.exe	73

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1840	1568	WerFault.exe	72
4696	2708	WerFault.exe	73

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1544	3080	XC5me1Dl.exe	71
PID 3080 wrote to memory of 1544	3080	XC5me1Dl.exe	71
PID 3080 wrote to memory of 1544	3080	XC5me1Dl.exe	71
PID 1544 wrote to memory of 1568	1544	wG3Fc0pp.exe	72
PID 1544 wrote to memory of 1568	1544	wG3Fc0pp.exe	72
PID 1544 wrote to memory of 1568	1544	wG3Fc0pp.exe	72
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73
PID 1568 wrote to memory of 2708	1568	1tP28dB4.exe	73

C:\Users\Admin\AppData\Local\Temp\XC5me1Dl.exe
"C:\Users\Admin\AppData\Local\Temp\XC5me1Dl.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 568
        5⤵
        Program crash
        
        PID:4696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 584
      4⤵
      Program crash
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wG3Fc0pp.exe

Filesize
566KB

MD5
6ffabe70d158124b5df14b4f2ae34ccf

SHA1
0c790e5f68ca43a30e210df6d4e44d8352fde4cd

SHA256
8d6a6590a1bb92577586da082e9af3f81ec9721e25c738af543d921d5fa4ce2b

SHA512
1bfe672e2b696630f267e0dbfaf70bc54992f1491df4276df1bf66c7801b60d7fe573ab38865dc24b5760cd9266e205ad456ba9f3e381645cd13ef778ec451fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tP28dB4.exe

Filesize
1.1MB

MD5
318ad21e34e07b81e1464df6f292f75a

SHA1
179670bb71aa85c83e8e509a4319323247dde395

SHA256
0b60f938a86268d719ddce6036a9f06764025d2460fe9870e47496ac3bbb8ebe

SHA512
60f460421473366d1c4970af3b41783c779ee26b301e5b7d796e76482f8b3accdf8ae87ea81a2053d1c075dbc58815c6a3a569c14c2ee0a48c36b434ae3dbf89

Download Submit
memory/2708-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads