00e74582c6ffe11659a6163406a14fc27f9d01799f8ed3a40b5d1dd51b57f4a9

General

Target

64f37f23926f78c90219eb4a9aacd259.exe
Size

698KB
MD5

64f37f23926f78c90219eb4a9aacd259
SHA1

76857b1dede867013abf85c9d93df8d503765ffc
SHA256

00e74582c6ffe11659a6163406a14fc27f9d01799f8ed3a40b5d1dd51b57f4a9
SHA512

e35a5027f618ea50514eb242b23ba72c7676c70b58582cf820bbca466b8ce1b7d21a0856e4bd3099e269aeecee632b65e38e3787a9621d8bec87333d2d894517
SSDEEP

12288:5ojj7vuD4/rUWTxUra4SxkGG0YwHt4J7B0Za9A42EF3Z4mxxJaVk0tMgnOnfGT:87vNX6a4SVv07B0E9R1QmXJYR+nfGT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2712	SERVER~1.EXE

Loads dropped DLL 6 IoCs

pid	Process
1140	64f37f23926f78c90219eb4a9aacd259.exe
1140	64f37f23926f78c90219eb4a9aacd259.exe
2712	SERVER~1.EXE
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	64f37f23926f78c90219eb4a9aacd259.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	2712	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 1140 wrote to memory of 2712	1140	64f37f23926f78c90219eb4a9aacd259.exe	28
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29
PID 2712 wrote to memory of 2848	2712	SERVER~1.EXE	29

C:\Users\Admin\AppData\Local\Temp\64f37f23926f78c90219eb4a9aacd259.exe
"C:\Users\Admin\AppData\Local\Temp\64f37f23926f78c90219eb4a9aacd259.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 268
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
187KB

MD5
21413d8793e2911e58bca905dc68556c

SHA1
ad594f4669400209cc62b84285cabb0ab30bb198

SHA256
4a260aa3663b89211c42b07148b9c311fc5856f3ff65fec9e16cfc2e03d97950

SHA512
b1adb34cfe4eb5a9d933b56c7f2f92fea55f2990249269daff3ba2c8899b618167ad8a6d74c894e22339337c69ceeb4b9833b0ab321ac80f41f2a9ead91dae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
121KB

MD5
cccdde9f04e39be6aef38a8276690690

SHA1
021ebfda40b5c1865fbaa359eebda8cc8fdacca7

SHA256
be996bf60425ac4b334d1dfbf06423fecf603702a4ed8513c1313ba643417e39

SHA512
f7bf7eedd6594c2880267f41fa4e8251a6bd0389b2d22dd9ddcd7f7d68f7881dac5f7c517ee1ee8fdeca5d7b4617ddd422bb1012415b2972510b13b8b5f41139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
45KB

MD5
7d1a7706978958d56c11fdbbea403022

SHA1
93d117697e88e9f903f123038801870d01d47ef6

SHA256
de6bea7bbf85a7300245f28c2e37dd3102fce09ac7b5934466a5f2474920bfd8

SHA512
f059bd2a7aa28a08ce9f51cc8b564df1e84bad0a9fe5c453f0608c7a2887ad27f65be1e375fbbde633a6dd5ac7c8d32bcb3cb54923bce6101dbeb24f24fd5500

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
342KB

MD5
df563c7800612d37775a04ccfabaa4e2

SHA1
cb4077186d77f2a59310987fbc4aae00c9063b75

SHA256
bdcfdb1ef0a3e0f25c80fcd1694ff0b572ebecd0d79ad293222d2b9411484a1f

SHA512
828e00a852a39c47792d526fbcfe42ce89ba8dbcde9bf5e22c713c1822181e2fbebf6e8b66bec32d960a3382afe9a9bf896ea46b1fd8a4b21351a4819911a3aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
79KB

MD5
6c5d8c272af46599651cf041e553b409

SHA1
14505e88195b6e11765d797260a686b31273758a

SHA256
6669c9ddaaba6430a7918386f96d33234e396321268230654594c797f1d5e3bf

SHA512
3bfc928f02fdd928518099a13465c8064a168629d770a04bcf177cdb2b3aa9076f2ad7acbbcbeb816daf6dac9538cf4564d0d38a53bda8e5d3276bc6332155f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
215KB

MD5
5d69ae0e29c8d5aa6abdcc9df3c487d5

SHA1
5fa437a2dcd103ebbd8a2a556a4b51415be76851

SHA256
3b0b98378019729e050d8b215c6f5af7e82858bd2d0909139b1702a7356ad163

SHA512
8a5c5f5932b9df02f0afd679fb2a82e68a092e01ba787c1ac3b414aae388e98cd5a757728e6f6bf2ba4e894bf7ac1df25fa9dba0660e510f0064217a73bb7e3f

Download Submit
memory/1140-2-0x0000000000500000-0x0000000000554000-memory.dmp

Filesize
336KB

Download
memory/1140-3-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1140-4-0x0000000003270000-0x0000000003273000-memory.dmp

Filesize
12KB

Download
memory/1140-0-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1140-1-0x00000000001F0000-0x00000000002AC000-memory.dmp

Filesize
752KB

Download
memory/1140-19-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1140-21-0x0000000000500000-0x0000000000554000-memory.dmp

Filesize
336KB

Download
memory/2712-20-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads