d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
Size

6.5MB
MD5

70122224b1c86d872233c6ca0b690fe5
SHA1

e682b4037538ef9eb3e9b7fbabf94a6856de0620
SHA256

d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7
SHA512

fc7b8542554bd0b2cdd19d24fe5a22d3407ac06068ba22621d0f38be0b6d628e7250d6bef8bdebdb38ac81934059bd5fd6ea359361596b7133c7aece05260d4d
SSDEEP

98304:GbHBJM8U9VfiDqJw59FBSD3Xv7A7rNJQeKBddwWLObUChI78n+S73j3q1:GbHBi86Vq+Jw5/O07jJid7kIC+qbq1

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2400	LC_IP4~1.EXE
2780	LC_IP4~1.EXE
2696	LC_Ip4B.exe
2688	is171190.exe

Loads dropped DLL 11 IoCs

pid	Process
2172	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
2172	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
2400	LC_IP4~1.EXE
2400	LC_IP4~1.EXE
2780	LC_IP4~1.EXE
2780	LC_IP4~1.EXE
2696	LC_Ip4B.exe
2696	LC_Ip4B.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LC_Ip4B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LC_IP4~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LC_IP4~1.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2196	2688	WerFault.exe	31

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2400	2172	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	28
PID 2172 wrote to memory of 2400	2172	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	28
PID 2172 wrote to memory of 2400	2172	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	28
PID 2172 wrote to memory of 2400	2172	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	28
PID 2400 wrote to memory of 2780	2400	LC_IP4~1.EXE	29
PID 2400 wrote to memory of 2780	2400	LC_IP4~1.EXE	29
PID 2400 wrote to memory of 2780	2400	LC_IP4~1.EXE	29
PID 2400 wrote to memory of 2780	2400	LC_IP4~1.EXE	29
PID 2780 wrote to memory of 2696	2780	LC_IP4~1.EXE	30
PID 2780 wrote to memory of 2696	2780	LC_IP4~1.EXE	30
PID 2780 wrote to memory of 2696	2780	LC_IP4~1.EXE	30
PID 2780 wrote to memory of 2696	2780	LC_IP4~1.EXE	30
PID 2696 wrote to memory of 2688	2696	LC_Ip4B.exe	31
PID 2696 wrote to memory of 2688	2696	LC_Ip4B.exe	31
PID 2696 wrote to memory of 2688	2696	LC_Ip4B.exe	31
PID 2696 wrote to memory of 2688	2696	LC_Ip4B.exe	31
PID 2688 wrote to memory of 2196	2688	is171190.exe	32
PID 2688 wrote to memory of 2196	2688	is171190.exe	32
PID 2688 wrote to memory of 2196	2688	is171190.exe	32
PID 2688 wrote to memory of 2196	2688	is171190.exe	32

C:\Users\Admin\AppData\Local\Temp\d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
"C:\Users\Admin\AppData\Local\Temp\d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 104
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE

Filesize
6.2MB

MD5
14b230502ed188d8f01a8cc900558809

SHA1
e38ff71881b1f01a17fb85e4df372d163f352dea

SHA256
e10e652b82af328350e830e4fb5160a25866aff99c32fff273d3b427f5c88ef1

SHA512
ea0b94ee54b6c682ad61f9754297e1fbdd6030c2f8636c15e4b47c48d0d25ba1fffbdaf5fec784705a5848fead0faa997a9d6f4be46f1f8ee56492e7541a8b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE

Filesize
6.2MB

MD5
14b230502ed188d8f01a8cc900558809

SHA1
e38ff71881b1f01a17fb85e4df372d163f352dea

SHA256
e10e652b82af328350e830e4fb5160a25866aff99c32fff273d3b427f5c88ef1

SHA512
ea0b94ee54b6c682ad61f9754297e1fbdd6030c2f8636c15e4b47c48d0d25ba1fffbdaf5fec784705a5848fead0faa997a9d6f4be46f1f8ee56492e7541a8b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE

Filesize
206KB

MD5
f1e913d6f814635d49d964a03ecabf20

SHA1
fd798d3f8dd629160735142b54849e13d527484b

SHA256
f58d736e3254d4e72a123f3dd88d624eb9a478facd63d811e6b4caf0b06f4d20

SHA512
87400c9f43fdd76806042ed044b3e4c5dd6828dad9dfdd286a9eb49d3a7721d6086f399e828d85b55783ab80f3f0c18128efb2e1879ee52b3fdc7ce7ae5c23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE

Filesize
206KB

MD5
f1e913d6f814635d49d964a03ecabf20

SHA1
fd798d3f8dd629160735142b54849e13d527484b

SHA256
f58d736e3254d4e72a123f3dd88d624eb9a478facd63d811e6b4caf0b06f4d20

SHA512
87400c9f43fdd76806042ed044b3e4c5dd6828dad9dfdd286a9eb49d3a7721d6086f399e828d85b55783ab80f3f0c18128efb2e1879ee52b3fdc7ce7ae5c23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe

Filesize
153KB

MD5
4640327103deaaf70155f65cfdc3600f

SHA1
fd74dac1f8d04c89ad16d7f8bc6e6d4a601e0c9f

SHA256
c34861fbbd79c2fe10b7f0e48c50b442a8965faa6640ba11236fbe651009f9ae

SHA512
8cbd173f91734fcab16999607f72f50e383418264fca81815f802a9fc2aa90eff9df1b5a2569203ded802ab895f0cbdc7b4f262a78aa223003ad238bb1d7b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe

Filesize
153KB

MD5
4640327103deaaf70155f65cfdc3600f

SHA1
fd74dac1f8d04c89ad16d7f8bc6e6d4a601e0c9f

SHA256
c34861fbbd79c2fe10b7f0e48c50b442a8965faa6640ba11236fbe651009f9ae

SHA512
8cbd173f91734fcab16999607f72f50e383418264fca81815f802a9fc2aa90eff9df1b5a2569203ded802ab895f0cbdc7b4f262a78aa223003ad238bb1d7b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE

Filesize
6.2MB

MD5
14b230502ed188d8f01a8cc900558809

SHA1
e38ff71881b1f01a17fb85e4df372d163f352dea

SHA256
e10e652b82af328350e830e4fb5160a25866aff99c32fff273d3b427f5c88ef1

SHA512
ea0b94ee54b6c682ad61f9754297e1fbdd6030c2f8636c15e4b47c48d0d25ba1fffbdaf5fec784705a5848fead0faa997a9d6f4be46f1f8ee56492e7541a8b6f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE

Filesize
6.2MB

MD5
14b230502ed188d8f01a8cc900558809

SHA1
e38ff71881b1f01a17fb85e4df372d163f352dea

SHA256
e10e652b82af328350e830e4fb5160a25866aff99c32fff273d3b427f5c88ef1

SHA512
ea0b94ee54b6c682ad61f9754297e1fbdd6030c2f8636c15e4b47c48d0d25ba1fffbdaf5fec784705a5848fead0faa997a9d6f4be46f1f8ee56492e7541a8b6f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE

Filesize
206KB

MD5
f1e913d6f814635d49d964a03ecabf20

SHA1
fd798d3f8dd629160735142b54849e13d527484b

SHA256
f58d736e3254d4e72a123f3dd88d624eb9a478facd63d811e6b4caf0b06f4d20

SHA512
87400c9f43fdd76806042ed044b3e4c5dd6828dad9dfdd286a9eb49d3a7721d6086f399e828d85b55783ab80f3f0c18128efb2e1879ee52b3fdc7ce7ae5c23c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE

Filesize
206KB

MD5
f1e913d6f814635d49d964a03ecabf20

SHA1
fd798d3f8dd629160735142b54849e13d527484b

SHA256
f58d736e3254d4e72a123f3dd88d624eb9a478facd63d811e6b4caf0b06f4d20

SHA512
87400c9f43fdd76806042ed044b3e4c5dd6828dad9dfdd286a9eb49d3a7721d6086f399e828d85b55783ab80f3f0c18128efb2e1879ee52b3fdc7ce7ae5c23c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe

Filesize
153KB

MD5
4640327103deaaf70155f65cfdc3600f

SHA1
fd74dac1f8d04c89ad16d7f8bc6e6d4a601e0c9f

SHA256
c34861fbbd79c2fe10b7f0e48c50b442a8965faa6640ba11236fbe651009f9ae

SHA512
8cbd173f91734fcab16999607f72f50e383418264fca81815f802a9fc2aa90eff9df1b5a2569203ded802ab895f0cbdc7b4f262a78aa223003ad238bb1d7b161

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe

Filesize
153KB

MD5
4640327103deaaf70155f65cfdc3600f

SHA1
fd74dac1f8d04c89ad16d7f8bc6e6d4a601e0c9f

SHA256
c34861fbbd79c2fe10b7f0e48c50b442a8965faa6640ba11236fbe651009f9ae

SHA512
8cbd173f91734fcab16999607f72f50e383418264fca81815f802a9fc2aa90eff9df1b5a2569203ded802ab895f0cbdc7b4f262a78aa223003ad238bb1d7b161

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
memory/2688-45-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2688-49-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-43-0x0000000000300000-0x0000000000315000-memory.dmp

Filesize
84KB

Download
memory/2696-50-0x0000000000300000-0x0000000000315000-memory.dmp

Filesize
84KB

Download
memory/2696-52-0x0000000000300000-0x0000000000315000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads