83ce512cd089f12b447e1e0e7b4bb37f2196a0dc84960a6970f57b43342887d3

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 17:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

65a8dfad462f654c0973ea4a81ceb640.exe
Size

1.1MB
MD5

65a8dfad462f654c0973ea4a81ceb640
SHA1

c1e3a778e53e4143c7a2b67819795c4cee5fab9f
SHA256

83ce512cd089f12b447e1e0e7b4bb37f2196a0dc84960a6970f57b43342887d3
SHA512

25cea99cf1b038d1040d268b321b95a113c23d7848de4905dd6c401f698df9c3ef20390816efc1c626385e8b1a641b28cf37548081e11bffa3897001785cba34
SSDEEP

24576:0owP9B2CmBCWKx3jZeZPrU+mAAMXsr9IC/RU8zQmX9VTzaL:0owlUCPx3gZrXD8CC/pEmNUL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4384	SERVER~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65a8dfad462f654c0973ea4a81ceb640.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4596	4384	WerFault.exe	88

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4384	396	65a8dfad462f654c0973ea4a81ceb640.exe	88
PID 396 wrote to memory of 4384	396	65a8dfad462f654c0973ea4a81ceb640.exe	88
PID 396 wrote to memory of 4384	396	65a8dfad462f654c0973ea4a81ceb640.exe	88

C:\Users\Admin\AppData\Local\Temp\65a8dfad462f654c0973ea4a81ceb640.exe
"C:\Users\Admin\AppData\Local\Temp\65a8dfad462f654c0973ea4a81ceb640.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 548
    3⤵
    - Program crash
    PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4384 -ip 4384
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
788KB

MD5
260d5bd0e262fc6db979b6fa6180d24e

SHA1
76156af6f8302fefcb6cc0a3a62d97d6c8fbaeee

SHA256
5104ef49c130c88ab8d9bd4f31b8e5f71f0083423faeed2bcc77bcb4d19f6637

SHA512
2abc7ac082a3f87e4b08239d6ac9ed3ce3c1409762dddb45f136eb9fea0946b608ee50298fd6b813b32b4c98747a996a560310a4bf89aa225e70f6c754855b1d

Download Submit
memory/396-5-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/396-2-0x00000000006E0000-0x0000000000734000-memory.dmp

Filesize
336KB

Download
memory/396-3-0x0000000001000000-0x0000000001133000-memory.dmp

Filesize
1.2MB

Download
memory/396-4-0x0000000003180000-0x0000000003183000-memory.dmp

Filesize
12KB

Download
memory/396-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/396-0-0x0000000001000000-0x0000000001133000-memory.dmp

Filesize
1.2MB

Download
memory/396-1-0x0000000001000000-0x0000000001133000-memory.dmp

Filesize
1.2MB

Download
memory/396-13-0x0000000001000000-0x0000000001133000-memory.dmp

Filesize
1.2MB

Download
memory/396-15-0x0000000001000000-0x0000000001133000-memory.dmp

Filesize
1.2MB

Download
memory/396-16-0x00000000006E0000-0x0000000000734000-memory.dmp

Filesize
336KB

Download
memory/4384-11-0x0000000000400000-0x0000000000416006-memory.dmp

Filesize
88KB

Download
memory/4384-14-0x0000000000400000-0x0000000000416006-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads