ec6db6613575c19945f4e1ff6d90ecfbb1ab34cbdd30c2d429d86fd132bd557a

General

Target

280841448a492e94b1c01f7505d163de.exe
Size

649KB
MD5

280841448a492e94b1c01f7505d163de
SHA1

1a468c2cba5ceef684ea4f9bdbc1682a5124370b
SHA256

ec6db6613575c19945f4e1ff6d90ecfbb1ab34cbdd30c2d429d86fd132bd557a
SHA512

81d85f6b7fdbce73e22212d84d5eb47aefd47b52c94d4090d365e9f8eb5b7a00f2b833f0f23606bc150d700d19455b9cbddc23a0d802d203912afc904a3e220c
SSDEEP

12288:FHyhPBDgO6dsx4tSZvqT4OWADF3Z4mxxfDqVTVOCZvOf:FHyngO4tSZvq1QmXeVTz8f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	3_lh.exe

Loads dropped DLL 6 IoCs

pid	Process
1732	280841448a492e94b1c01f7505d163de.exe
1732	280841448a492e94b1c01f7505d163de.exe
2668	3_lh.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	280841448a492e94b1c01f7505d163de.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2164	2668	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 1732 wrote to memory of 2668	1732	280841448a492e94b1c01f7505d163de.exe	28
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29
PID 2668 wrote to memory of 2164	2668	3_lh.exe	29

C:\Users\Admin\AppData\Local\Temp\280841448a492e94b1c01f7505d163de.exe
"C:\Users\Admin\AppData\Local\Temp\280841448a492e94b1c01f7505d163de.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3_lh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3_lh.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 276
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\3_lh.exe

Filesize
93KB

MD5
4ff28a3a98e9cdb820a0d7b70cfe85e5

SHA1
37cbc3a087235d79f2b503eeb55d5d4b0d92b31b

SHA256
ba7cc09f55cccd76d5373552c772dfeb3fc1b1a57932ad0f63c09d4ceb9d3f29

SHA512
0dd8c8a8a677123d7ec88e75d299f5b033c75fe250d526d80ec7929f68034c5afead253a854829d9374ed12603bb89550ae69a236ff0641cc601e01975fc061c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3_lh.exe

Filesize
92KB

MD5
ece531ccab5908888811514fb22a49da

SHA1
9395b8620b18831cca2106554fd5bb3ea85f2c98

SHA256
02f9a80a000e2caf6f1b3a7e53a020497cfbc9ee4fb4d7a2c590e12617d21051

SHA512
c76cdcc150c7e00d94681fc0196819b9ff0389dd123dd13d199ed3ca59463f767cb31a29b70064c347d2e2209738dd87834a94209ef5f851abae40750dac02e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3_lh.exe

Filesize
285KB

MD5
9c5017e85181de17b2eb88d3b6a1ffaf

SHA1
754b870ccc3559720c5478aa2b14f47e0e61366a

SHA256
d3f0a54731c38245842cb4ac8064a874e1b058e496939c35e5790e5d41db0447

SHA512
868bec5b236e1ba046fe7244135a6c67b6c86b5247af4e80ce786f837406a00eb39c781143254dca88f288fa16d9393084652a912ae77ad08d5bc5dd37a5d37b

Download Submit
memory/1732-6-0x0000000003630000-0x0000000003632000-memory.dmp

Filesize
8KB

Download
memory/1732-1-0x0000000001000000-0x00000000010AF000-memory.dmp

Filesize
700KB

Download
memory/1732-5-0x0000000003640000-0x0000000003643000-memory.dmp

Filesize
12KB

Download
memory/1732-13-0x0000000003830000-0x0000000003990000-memory.dmp

Filesize
1.4MB

Download
memory/1732-0-0x0000000001000000-0x00000000010AF000-memory.dmp

Filesize
700KB

Download
memory/1732-2-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download
memory/1732-28-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download
memory/1732-26-0x0000000000170000-0x000000000021F000-memory.dmp

Filesize
700KB

Download
memory/1732-25-0x0000000001000000-0x00000000010AF000-memory.dmp

Filesize
700KB

Download
memory/1732-18-0x0000000003830000-0x0000000003990000-memory.dmp

Filesize
1.4MB

Download
memory/2668-15-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2668-19-0x0000000000BC0000-0x0000000000D20000-memory.dmp

Filesize
1.4MB

Download
memory/2668-20-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2668-21-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2668-29-0x0000000000BC0000-0x0000000000D20000-memory.dmp

Filesize
1.4MB

Download
memory/2668-31-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads