c158f9e4a7bee17063b7139e956fe75164dfca2d4cf54ea4c298f1f80acbb064

Analysis

max time kernel
161s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aaf23963fb5607ed0bf696a3e573cf3.exe
Size

644KB
MD5

1aaf23963fb5607ed0bf696a3e573cf3
SHA1

25ec84fd28cd06cd222bb447164a77f7f0c0b8f3
SHA256

c158f9e4a7bee17063b7139e956fe75164dfca2d4cf54ea4c298f1f80acbb064
SHA512

99254ba5527635533880d39a25dcc44484cc2a758064daebd1a95abb9324a10be05f80e255e9a68ff7ee72051e552e856053cbc999b6a54526f3f8fcfa546735
SSDEEP

12288:LdxaTKzvS2DhizjJYMUQPF3Z4mxxfgXp6m90qgr+EdRW:L9tIfJYEQmXfgXp6D+p

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3096	4_lh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1aaf23963fb5607ed0bf696a3e573cf3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3404	3096	WerFault.exe	90

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3096	3724	1aaf23963fb5607ed0bf696a3e573cf3.exe	90
PID 3724 wrote to memory of 3096	3724	1aaf23963fb5607ed0bf696a3e573cf3.exe	90
PID 3724 wrote to memory of 3096	3724	1aaf23963fb5607ed0bf696a3e573cf3.exe	90

C:\Users\Admin\AppData\Local\Temp\1aaf23963fb5607ed0bf696a3e573cf3.exe
"C:\Users\Admin\AppData\Local\Temp\1aaf23963fb5607ed0bf696a3e573cf3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 544
    3⤵
    - Program crash
    PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3096 -ip 3096
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
95KB

MD5
95b73b9534d983a536a46dfaa481556c

SHA1
272763009adecc84aa771897af2ad7a4624f08ef

SHA256
4f191fbca9fbf4bbd6c2235b597b73baf95d33f49ee24b277a10f4dab3ecf99c

SHA512
42c17f53e7dc51b9637a0cefa0a0b8fb930c9c49fb0ba9d3fc0991328b0e8ba31b005a667f18cce6828a6a5afd5c62789f714671c9cd902c12189aadf5bb12eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_lh.exe

Filesize
188KB

MD5
139498c4149988ee02c14e1fdc3388e5

SHA1
1e73490d0e97e66747b3bdfc24111a6355241968

SHA256
f1fa86a6bc8068e6d61830ca88c475032f818acbddd497fefa2fd9e6cd7114d0

SHA512
3a38713550cabb60e335ce6498f21adda9c57c9bb0be9c642b389af80fd99d7df14a4f9a9aa73b04a3cf4a957e50f8173833f213ba86407fc7d1fb6b5837d4d5

Download Submit
memory/3096-24-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3096-25-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3724-10-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3724-7-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3724-17-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3724-15-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/3724-14-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3724-13-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3724-12-0x00000000030E0000-0x00000000030E2000-memory.dmp

Filesize
8KB

Download
memory/3724-11-0x00000000030F0000-0x00000000030F3000-memory.dmp

Filesize
12KB

Download
memory/3724-0-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/3724-18-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3724-9-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3724-16-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/3724-8-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3724-6-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/3724-4-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3724-5-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3724-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3724-1-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/3724-26-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/3724-27-0x00000000006E0000-0x0000000000734000-memory.dmp

Filesize
336KB

Download
memory/3724-2-0x00000000006E0000-0x0000000000734000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads