d483d5f6e47ddb2b45841f4dc4f9cd758b99876afac85e4ed1a9bf0b16b19aa0

General

Target

43b603fdf279f8a4e4452e7ad280affa.exe
Size

726KB
MD5

43b603fdf279f8a4e4452e7ad280affa
SHA1

75dcdbbfe881342a98336da25bbf2e25f3e9ecef
SHA256

d483d5f6e47ddb2b45841f4dc4f9cd758b99876afac85e4ed1a9bf0b16b19aa0
SHA512

c80905da4d2875f972e1c72e84f48f88ae7735c091b98887ea370f40c6a042f2b5b28188744449e0f447c4eb15b7ff82160f7d255ca06b816814019e4240a21f
SSDEEP

12288:IPBFQQpwv38hx2M4f6qcOmBR7v5RPMNtOZbpgzDqF3Z4mxxLDqVTVOCW:IPBFQQpwvY926qDEzz++VUWQmXCVTzW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	4.exe

Loads dropped DLL 5 IoCs

pid	Process
3068	43b603fdf279f8a4e4452e7ad280affa.exe
3068	43b603fdf279f8a4e4452e7ad280affa.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	43b603fdf279f8a4e4452e7ad280affa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	2408	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2408	3068	43b603fdf279f8a4e4452e7ad280affa.exe	27
PID 3068 wrote to memory of 2408	3068	43b603fdf279f8a4e4452e7ad280affa.exe	27
PID 3068 wrote to memory of 2408	3068	43b603fdf279f8a4e4452e7ad280affa.exe	27
PID 3068 wrote to memory of 2408	3068	43b603fdf279f8a4e4452e7ad280affa.exe	27
PID 2408 wrote to memory of 2860	2408	4.exe	28
PID 2408 wrote to memory of 2860	2408	4.exe	28
PID 2408 wrote to memory of 2860	2408	4.exe	28
PID 2408 wrote to memory of 2860	2408	4.exe	28

C:\Users\Admin\AppData\Local\Temp\43b603fdf279f8a4e4452e7ad280affa.exe
"C:\Users\Admin\AppData\Local\Temp\43b603fdf279f8a4e4452e7ad280affa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
346KB

MD5
d8f82b437ec2622224c6771f67e2e652

SHA1
74a05f069f3458dcaded89004887de1658a96d27

SHA256
459cdec6b1724e54eb5783f71ee81eeed84a877ccb544663f6c84cf260ec8b68

SHA512
f05ae65a107d89d0b4541bddb27d3c5ebb234a7be55e860ffe25c8318c58a60376be9b8baee390d5a4ab1663ea9c770809a87ffc367620087b937476e33ece1c

Download Submit
memory/2408-47-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3068-20-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3068-5-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3068-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/3068-12-0x0000000003130000-0x0000000003133000-memory.dmp

Filesize
12KB

Download
memory/3068-14-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3068-15-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3068-13-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3068-17-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3068-19-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3068-21-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000000730000-0x0000000000784000-memory.dmp

Filesize
336KB

Download
memory/3068-38-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3068-24-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3068-23-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3068-26-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3068-25-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3068-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3068-29-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3068-35-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/3068-37-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3068-36-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/3068-22-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3068-39-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3068-40-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/3068-41-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3068-42-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3068-0-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/3068-46-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/3068-48-0x0000000000730000-0x0000000000784000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads