c158f9e4a7bee17063b7139e956fe75164dfca2d4cf54ea4c298f1f80acbb064

Analysis

max time kernel
143s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aaf23963fb5607ed0bf696a3e573cf3.exe
Size

644KB
MD5

1aaf23963fb5607ed0bf696a3e573cf3
SHA1

25ec84fd28cd06cd222bb447164a77f7f0c0b8f3
SHA256

c158f9e4a7bee17063b7139e956fe75164dfca2d4cf54ea4c298f1f80acbb064
SHA512

99254ba5527635533880d39a25dcc44484cc2a758064daebd1a95abb9324a10be05f80e255e9a68ff7ee72051e552e856053cbc999b6a54526f3f8fcfa546735
SSDEEP

12288:LdxaTKzvS2DhizjJYMUQPF3Z4mxxfgXp6m90qgr+EdRW:L9tIfJYEQmXfgXp6D+p

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	4_lh.exe

Loads dropped DLL 6 IoCs

pid	Process
3028	1aaf23963fb5607ed0bf696a3e573cf3.exe
3028	1aaf23963fb5607ed0bf696a3e573cf3.exe
2792	4_lh.exe
2800	WerFault.exe
2800	WerFault.exe
2800	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1aaf23963fb5607ed0bf696a3e573cf3.exe

Program crash 1 IoCs

pid	pid_target	Process
2800	2792	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 3028 wrote to memory of 2792	3028	1aaf23963fb5607ed0bf696a3e573cf3.exe	20
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19
PID 2792 wrote to memory of 2800	2792	4_lh.exe	19

C:\Users\Admin\AppData\Local\Temp\1aaf23963fb5607ed0bf696a3e573cf3.exe
"C:\Users\Admin\AppData\Local\Temp\1aaf23963fb5607ed0bf696a3e573cf3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 268
1⤵
- Loads dropped DLL
- Program crash
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
51KB

MD5
29e85a9260c76d2d61f8558cfaed4790

SHA1
8c1323ea5e9278794caa82e0e7b1c3f33251635d

SHA256
aaf4e0e5181e09c88af662973ba81259d70c15fd112325b7771d202b8506d89b

SHA512
3da70837a19ef8a46b07688fab60b297b2a749860dee16013df5830a85f11f5c6ffcb23350f316f03818036b4f0e60cac710c07adef9292aaf9d09a3603ce7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
5KB

MD5
d7cc3e458c48e1aea59dc211626c936e

SHA1
35ecd39857b1b0e0a9ae77454fa858aae99f82df

SHA256
9e24932232ab16c661e4619f7edd8e264e75df560f2d4f054040fe9a3bba251a

SHA512
2b26c1d1d25f7dda4f882b7314d96e74905aa314a7bfbc3f1075b9d8ee5b863ca2ad285c5d399d2efcae85186a679a6107e56e0a19cbf72a653eb0e14424f2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
24KB

MD5
3cb878bba2505160c1af3b515db850de

SHA1
7e2c7bb58c20f2a020db3e7446cce36ada181765

SHA256
fd214e998c4cdf105f319c4ba01ef4cf3144966b7c16f9b4ecb6124b1c608bd8

SHA512
06adf44d1913c3bb30e8c41ea4098b6dfe8be795b7ac460b6064004c018731e6f18c467fb243ab0231fe51b28facce3e3884dcbf5fba099b6b24f34efe06475f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
8KB

MD5
418d348169700b6d659bf57359a79009

SHA1
f584274ccce90f5cb23b0e653074257647c46204

SHA256
c78feb28ed4ff65a894db475766374eb142476a8d90153f5d6561d34a5ee83bf

SHA512
69df8df85bc0ad97227e44c5463eb57658497045d33c99dfe6aeb2440c94d8ef075ce619c2efed20955467fc210049f481abc4ea926e2c1ff0030ac2bccdc39c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
39KB

MD5
ae7d0a11248c6688102f011fc2f96d56

SHA1
d45ce303b520169584f8c10ed97c6866fd67e9f1

SHA256
d80a8f36bd7db1823c8ea7724adba82f9aa0204d91b621f5ee2dee03951c9226

SHA512
c4d30ae73f88984c7ff1c85c763e27fff47f00262d2f491bb165200cc53e3bd6d2b636ba4e51a1003c26aeebca72768b1ed68e186d3789d77e8675706d14af08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
52KB

MD5
a882207bc2580d9185005dc44a45e4a8

SHA1
50c6718e82dfe8651cdd4135eb8c1c48b5f2c77c

SHA256
86ebaff975038f5a11a278636d36274c702794c7a3c2261c1f2e9eda3604a611

SHA512
6cf04a34b3fc7a24b0ed73a7711ab5f3c85f275c4a1c94bdff7ea6744180cc7293b261ee85608dd74dfdebd78f5627ea42799afe3622c52d4a0b9430ba68ca61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
31KB

MD5
458b79dd0920c09cd829e0e319e72fb5

SHA1
23c508f08f4c748b91e2e738b4f424d3a3e6e81a

SHA256
4c82b5aad59a85d3d95aadfab33a5cb0d4e9b862b66d740742e4b104507a57a7

SHA512
c5e45747dbb36e01f2b51afc18e77d3c90377c2f1859d8adffe68e47021f338db410cb0ea67fbcd872a18ee84e73e19105324a4e215d640de792a22cb987e344

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
37KB

MD5
143f40043535fddc3b4f36f309698b53

SHA1
f5a44756a49189605d455c6a6ea687f1ca011587

SHA256
026edbd1191d91f30a305b64c262b03e19c2c38afe0993845c9e1f44c3f751b2

SHA512
1118da2354adc061bf4c4af5626b77e4eecdb8c5f9ecbc152c3d83575a485f69efe604f28ed301c81d61619973652dac149abc703c61873db971430011517385

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
41KB

MD5
8d91b9611a7bb1afae20ec5bb3bcf6ed

SHA1
262567c6291d48a04af39a6f1a1a02fd952a7b32

SHA256
5f79bfd42abc7d0e99f460d3c9f482ed8ec9dfda840b74c447f3fa99845af03d

SHA512
cf0f68827cff8b43023d9e3adadf72ca0bd31b3e8b8f40a5e88626b199ad3dcce754255aaeaa301ec642ba19423772b324785e6e22812905164d0848c6fd336a

Download Submit
memory/2792-19-0x0000000000980000-0x0000000000A9A000-memory.dmp

Filesize
1.1MB

Download
memory/2792-18-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3028-1-0x00000000001E0000-0x000000000028E000-memory.dmp

Filesize
696KB

Download
memory/3028-7-0x0000000003250000-0x0000000003252000-memory.dmp

Filesize
8KB

Download
memory/3028-4-0x0000000003260000-0x0000000003263000-memory.dmp

Filesize
12KB

Download
memory/3028-15-0x0000000003450000-0x000000000356A000-memory.dmp

Filesize
1.1MB

Download
memory/3028-2-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/3028-0-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/3028-3-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/3028-23-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/3028-25-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads