3a8608d16004e8b8b7f90692cc291c3ee0ffd7bee5b2e72ba67c9a5f6cee8d36

General

Target

INTERV~1.exe
Size

393KB
MD5

865bfe30edc6e6802536b5a0954a92e7
SHA1

c302402e8c5a4fd65218884cbd653953a2367d27
SHA256

7f5386e1ae6b9ff3b0557ab4c29231e53839e9be3701a5e803ab666ea3eea46a
SHA512

97ed8970864f3d96ea7e19610c41496e354faaebd4e766f21412baad068cf19f09c9a32b00be51e12ed66b09156df8b173524952fcd5b9c095779dadfd91f490
SSDEEP

6144:njbeiPYYzbsQl4zCO5me1CDSf1yDzaLWEZgwn2y1bbcvS5KMiGc+icm:nuSYYzbsQl4zJr1yDzc/gwN1nc65qc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2148	file.exe
2872	INTERV~1.EXE
1608	file.exe
1652	keygen3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002320a-19.dat	upx
behavioral2/memory/1608-18-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/1608-20-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/1608-22-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	INTERV~1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	INTERV~1.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	2148	WerFault.exe	89

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	file.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2148	816	INTERV~1.exe	89
PID 816 wrote to memory of 2148	816	INTERV~1.exe	89
PID 816 wrote to memory of 2148	816	INTERV~1.exe	89
PID 816 wrote to memory of 2872	816	INTERV~1.exe	96
PID 816 wrote to memory of 2872	816	INTERV~1.exe	96
PID 816 wrote to memory of 2872	816	INTERV~1.exe	96
PID 2872 wrote to memory of 1608	2872	INTERV~1.EXE	97
PID 2872 wrote to memory of 1608	2872	INTERV~1.EXE	97
PID 2872 wrote to memory of 1608	2872	INTERV~1.EXE	97
PID 2872 wrote to memory of 1652	2872	INTERV~1.EXE	107
PID 2872 wrote to memory of 1652	2872	INTERV~1.EXE	107
PID 2872 wrote to memory of 1652	2872	INTERV~1.EXE	107

C:\Users\Admin\AppData\Local\Temp\INTERV~1.exe
"C:\Users\Admin\AppData\Local\Temp\INTERV~1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\file.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\file.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 544
    3⤵
    - Program crash
    PID:4548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INTERV~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INTERV~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\file.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\file.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\keygen3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\keygen3.exe
    3⤵
    - Executes dropped EXE
    PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2148 -ip 2148
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INTERV~1.EXE

Filesize
282KB

MD5
84e2ead44042e2585f1554b533dbffb6

SHA1
69f5eb79824a5206b50a2cc5e2cafbde37d3d4ca

SHA256
3774127b3880ef063a979ad1becd02ebac1618250a4fe4e3869fa067ff93d191

SHA512
c3a949b7411fbb9c4b6e9f0b898b418555bb68d092a3fe50dd614969c46fc3483d2508f9257d0b11ad99ed9138fca1ec4e07dd3313c5cec77ed2ad5204c93fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\file.exe

Filesize
91KB

MD5
9ea2d09fa6839e0191a465aea0ecace2

SHA1
91991e5f330f567265448698c3cd3b667fa6e606

SHA256
84930ae7e2164cc9b321ea4fca5a447d6445aa92a7d1db51cc866dfd8024f031

SHA512
05dfbd00bb3b26b526c6870c015edbca79a5c8425bc28344aa5afaedd40921c169c4c1c325e0c82d9e80afe905a36dfeba61b833c44914c69d39e7a9b45171b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\file.exe

Filesize
8KB

MD5
d875e96772215dd6c64d3223ab8d6e35

SHA1
3c1aab40ae2b80643cf936fddaa88450bcc73a75

SHA256
f4f2d274cb77799c51b33f72d76bd0ad82658078777e07c2c946ee35cb1c6b59

SHA512
65b1a53b81d44ef214ed14fa08b897ce647a01fbd70357edb228cdb1bd526111d1a1f138f7a561f4baa9721b6d2ca943ce5f8f6380b3763e417c57d860b09a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\keygen3.exe

Filesize
652KB

MD5
e09f548b37ac0696210d943bd54f2b24

SHA1
f908b1c987a281a2f9f51e125a5fde7de22f8dbc

SHA256
32089cd0311a815f828653587818a8441b90c4d5a31775549ca02b387d1ab42d

SHA512
7248ec8ee52638b66e02ab59de42983ccf0990f45f3d0f0b2fb6b58cb4ee43dcd4348e878c01645f4441327631a05876bdc6f1f4c04e2a3085a6522a6769c17f

Download Submit
memory/1608-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1608-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1608-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2148-7-0x0000000000400000-0x000000000041846E-memory.dmp

Filesize
97KB

Download
memory/2148-8-0x0000000001E70000-0x0000000001F47000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads