d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e

Analysis

max time kernel
125s
max time network
132s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2023, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe
Size

1.5MB
MD5

27bb545985f2487a3fc093709a74cbc6
SHA1

08a2d7365831fbabb18e470583a3d2e71006cdb2
SHA256

d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e
SHA512

44dfa8b1138373bab7291ef98faef0ba4b55522f4bc0473e9c8f722d696ee3d900da9eb364a6627641e6a9d8d332d3e4a72803bc64030ef7ce3b6f812ad5ff64
SSDEEP

24576:1yDF7AYqXj1xK+Y3hulWaeNLNNXzMNZ8uhmvT9qVaEkYtBkHn1vGLWKog0AynD:QDF7AdXj11Y3iElDjiZ8ugv5qHkeBQ19

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
816	cn6Xu7pw.exe
2656	Eu0oP8lO.exe
3544	gd5SG5kf.exe
4080	ri5Bi2Jh.exe
3532	1bg26Lz6.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cn6Xu7pw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Eu0oP8lO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gd5SG5kf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ri5Bi2Jh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 4268	3532	1bg26Lz6.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4796	3532	WerFault.exe	75
4792	4268	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 816	3664	d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe	71
PID 3664 wrote to memory of 816	3664	d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe	71
PID 3664 wrote to memory of 816	3664	d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe	71
PID 816 wrote to memory of 2656	816	cn6Xu7pw.exe	72
PID 816 wrote to memory of 2656	816	cn6Xu7pw.exe	72
PID 816 wrote to memory of 2656	816	cn6Xu7pw.exe	72
PID 2656 wrote to memory of 3544	2656	Eu0oP8lO.exe	73
PID 2656 wrote to memory of 3544	2656	Eu0oP8lO.exe	73
PID 2656 wrote to memory of 3544	2656	Eu0oP8lO.exe	73
PID 3544 wrote to memory of 4080	3544	gd5SG5kf.exe	74
PID 3544 wrote to memory of 4080	3544	gd5SG5kf.exe	74
PID 3544 wrote to memory of 4080	3544	gd5SG5kf.exe	74
PID 4080 wrote to memory of 3532	4080	ri5Bi2Jh.exe	75
PID 4080 wrote to memory of 3532	4080	ri5Bi2Jh.exe	75
PID 4080 wrote to memory of 3532	4080	ri5Bi2Jh.exe	75
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76
PID 3532 wrote to memory of 4268	3532	1bg26Lz6.exe	76

C:\Users\Admin\AppData\Local\Temp\d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe
"C:\Users\Admin\AppData\Local\Temp\d039337b842946164baaa4587305b08298ffd3a2546b028b296db5206b1fdc9e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cn6Xu7pw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cn6Xu7pw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eu0oP8lO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eu0oP8lO.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd5SG5kf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd5SG5kf.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ri5Bi2Jh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ri5Bi2Jh.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bg26Lz6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bg26Lz6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 568
        8⤵
        Program crash
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 600
        7⤵
        Program crash
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cn6Xu7pw.exe

Filesize
1.3MB

MD5
05f9352ab74d4b5322f5b74874efcee5

SHA1
1bb97f489a8e0b2dcf77c0a52848e528bb8ffdac

SHA256
2acaa4f8c6f066be5312e5e8646ec2e7528dccafd84af223f83c36f222f25888

SHA512
6e1d4365932b559f03653cd60408e6cbf6a0dc87771d73eccd52dd8fd26a576314dabde3f1ec592b320d9de871a9aeeabccb07201aba546d15af23cd247867df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cn6Xu7pw.exe

Filesize
1.3MB

MD5
05f9352ab74d4b5322f5b74874efcee5

SHA1
1bb97f489a8e0b2dcf77c0a52848e528bb8ffdac

SHA256
2acaa4f8c6f066be5312e5e8646ec2e7528dccafd84af223f83c36f222f25888

SHA512
6e1d4365932b559f03653cd60408e6cbf6a0dc87771d73eccd52dd8fd26a576314dabde3f1ec592b320d9de871a9aeeabccb07201aba546d15af23cd247867df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eu0oP8lO.exe

Filesize
1.2MB

MD5
29f7d2c84898c145a12b8e616e38b7e8

SHA1
184dacd1fe19989c5983e1aebbfdc8ecda55edd4

SHA256
4cbcf0c5c29d0510e9fd03b98cedf45dc2219d5ead025c4b7a82cb80dc82b6f2

SHA512
8771058dd88f831e32003375084af4ca49e10227c7d02a5948688e9caed0d74bd33bff63142e55d8a1c93e1c687265a90602a85d0883dca3c2ac0200821406fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eu0oP8lO.exe

Filesize
1.2MB

MD5
29f7d2c84898c145a12b8e616e38b7e8

SHA1
184dacd1fe19989c5983e1aebbfdc8ecda55edd4

SHA256
4cbcf0c5c29d0510e9fd03b98cedf45dc2219d5ead025c4b7a82cb80dc82b6f2

SHA512
8771058dd88f831e32003375084af4ca49e10227c7d02a5948688e9caed0d74bd33bff63142e55d8a1c93e1c687265a90602a85d0883dca3c2ac0200821406fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd5SG5kf.exe

Filesize
768KB

MD5
89d862c0f155f4a0e2622e8d9755c43d

SHA1
56de34061f15e3dcf716db7d15598e616c42347c

SHA256
dd1ab753446cce836421493518f9644070c55399e2dc0016f09fd41aa3d0c51d

SHA512
a2a3b33324b6a61b7e4cc4eff70a669ed6e186d01c7f1cc48e78f3217a36edb9e0edeca5662e5a4bd5388c88f532b4ff840d94908409c8c30123cf7bddae0e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd5SG5kf.exe

Filesize
768KB

MD5
89d862c0f155f4a0e2622e8d9755c43d

SHA1
56de34061f15e3dcf716db7d15598e616c42347c

SHA256
dd1ab753446cce836421493518f9644070c55399e2dc0016f09fd41aa3d0c51d

SHA512
a2a3b33324b6a61b7e4cc4eff70a669ed6e186d01c7f1cc48e78f3217a36edb9e0edeca5662e5a4bd5388c88f532b4ff840d94908409c8c30123cf7bddae0e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ri5Bi2Jh.exe

Filesize
573KB

MD5
eb647ecae9db320973b09f121149c67e

SHA1
41f8d8f982db3a57274a868400282f6eadddc77b

SHA256
b5eff3b4aea58d17a57fd86139bd2289543b9790e21b07bfab8941bea0f72802

SHA512
c06dfe647599e64171de473e0f1b9f23d6977254fca59bd66c6e5a4b5a35162fb1ea64feb07dde1aabb46a967016bf4e77edcc218191e7032d2dca08a7490693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ri5Bi2Jh.exe

Filesize
573KB

MD5
eb647ecae9db320973b09f121149c67e

SHA1
41f8d8f982db3a57274a868400282f6eadddc77b

SHA256
b5eff3b4aea58d17a57fd86139bd2289543b9790e21b07bfab8941bea0f72802

SHA512
c06dfe647599e64171de473e0f1b9f23d6977254fca59bd66c6e5a4b5a35162fb1ea64feb07dde1aabb46a967016bf4e77edcc218191e7032d2dca08a7490693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bg26Lz6.exe

Filesize
1.1MB

MD5
fa8086e5c4093b34fedb63edc80417c3

SHA1
021c774b07509895d517a11d913732b0c57e5ead

SHA256
5e0fdbe7e4140e50377a629be8728adb738caa9bb5c46cbd8ce105d96d40323c

SHA512
b61f94eb64267bff2ee5bb00ddd9cd656b6a5165f77903299e194f00051f2d0a4bf93f8bd191a3608dd5cf7ae1beeb173c75508eb01cec611bd586c6bb42ffdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bg26Lz6.exe

Filesize
1.1MB

MD5
fa8086e5c4093b34fedb63edc80417c3

SHA1
021c774b07509895d517a11d913732b0c57e5ead

SHA256
5e0fdbe7e4140e50377a629be8728adb738caa9bb5c46cbd8ce105d96d40323c

SHA512
b61f94eb64267bff2ee5bb00ddd9cd656b6a5165f77903299e194f00051f2d0a4bf93f8bd191a3608dd5cf7ae1beeb173c75508eb01cec611bd586c6bb42ffdc

Download Submit
memory/4268-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads