e7e7a9ea982d3fda4e97af265b72c5bbfd3a25317250cb6e4b77dcb17e18a5dc

General

Target

1ab4dacfc3feff282cd436b664d93074.exe
Size

98KB
MD5

1ab4dacfc3feff282cd436b664d93074
SHA1

79bb6fe1ec713b163965c565e5ec7414bb579a1a
SHA256

e7e7a9ea982d3fda4e97af265b72c5bbfd3a25317250cb6e4b77dcb17e18a5dc
SHA512

637bc1144db7176e2980830a39e35910b36eaa1ec58f0c78423ac0fa83db23a62e15680091808350d01b47b0d3f6b72c8725ecd54625d9e8e2c5dd1ff11c0d5d
SSDEEP

3072:Qnj9jtfU+INndIc0JSBrQDUKWcMFBKS6h253VZ9R:QjbeiyBlFkS6h2L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2092	CHILL_~1.EXE
2728	SERVER~1.EXE
2584	SERVER~1.exe

Loads dropped DLL 10 IoCs

pid	Process
2164	1ab4dacfc3feff282cd436b664d93074.exe
2164	1ab4dacfc3feff282cd436b664d93074.exe
2164	1ab4dacfc3feff282cd436b664d93074.exe
2164	1ab4dacfc3feff282cd436b664d93074.exe
2728	SERVER~1.EXE
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ab4dacfc3feff282cd436b664d93074.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2584	2728	SERVER~1.EXE	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2584	WerFault.exe	30

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2092	CHILL_~1.EXE
2728	SERVER~1.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2092	2164	1ab4dacfc3feff282cd436b664d93074.exe	28
PID 2164 wrote to memory of 2092	2164	1ab4dacfc3feff282cd436b664d93074.exe	28
PID 2164 wrote to memory of 2092	2164	1ab4dacfc3feff282cd436b664d93074.exe	28
PID 2164 wrote to memory of 2092	2164	1ab4dacfc3feff282cd436b664d93074.exe	28
PID 2164 wrote to memory of 2728	2164	1ab4dacfc3feff282cd436b664d93074.exe	29
PID 2164 wrote to memory of 2728	2164	1ab4dacfc3feff282cd436b664d93074.exe	29
PID 2164 wrote to memory of 2728	2164	1ab4dacfc3feff282cd436b664d93074.exe	29
PID 2164 wrote to memory of 2728	2164	1ab4dacfc3feff282cd436b664d93074.exe	29
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2728 wrote to memory of 2584	2728	SERVER~1.EXE	30
PID 2584 wrote to memory of 2624	2584	SERVER~1.exe	31
PID 2584 wrote to memory of 2624	2584	SERVER~1.exe	31
PID 2584 wrote to memory of 2624	2584	SERVER~1.exe	31
PID 2584 wrote to memory of 2624	2584	SERVER~1.exe	31

C:\Users\Admin\AppData\Local\Temp\1ab4dacfc3feff282cd436b664d93074.exe
"C:\Users\Admin\AppData\Local\Temp\1ab4dacfc3feff282cd436b664d93074.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHILL_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHILL_~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHILL_~1.EXE

Filesize
140KB

MD5
824bc17285cf189802348bb1053cc9d0

SHA1
6acaca19fd4ae49a4332f2f5eefc121dac4710f0

SHA256
3c180be953981416464eb1175baeaa75b019775e31a5084badcca1b2e258e89b

SHA512
7ed97e431acd4d3b6802b733e81d1c02658effdb40734878eac8cef127548e4a9f3c6f9ac7efeb93f40acd197ad4e7f17513485ea34f8181101af0c03c65e46a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
32KB

MD5
e3809b8159da5c8cecffedb1fa9b8a73

SHA1
cbfac711b854ff453971970e38bae267cd974978

SHA256
a3bd806627508c055b69b7c34e99d577cc0901a668dc78282cfdd0071c873bd9

SHA512
c11d4462600b7a03bfcd039e0387050906b6269d406c7eb1cdaa111ffa75a91e44fa5fcf1de330fd3ca461120bb811baaf4109fc740c4a18ba84831498ebd16c

Download Submit
memory/2584-24-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2584-26-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2584-28-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2584-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-32-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2584-35-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2584-36-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads