4d3854d2a75855f1b230fb2c80888a03bebdbf634e3c27b83029191b386fb85c

General

Target

7b316fd93934973eecae501de07b2548.exe
Size

1.4MB
MD5

7b316fd93934973eecae501de07b2548
SHA1

6527831d24beeb5bf9d3845f1bbecfc5001c1bba
SHA256

4d3854d2a75855f1b230fb2c80888a03bebdbf634e3c27b83029191b386fb85c
SHA512

909f1cf0ac71990039a2b5b8cd0fa7ba4eb68941a5bc10e69ff0cc1a34d96e966538d67c865c50f842ea4e32c6f4560bf4f5cb98b87bdc8285061be040cf7803
SSDEEP

24576:SBCPUeajDxqaHnV+3flhwa1Jm45r7oV68VWcDXY+Ok7khd5:NPhajDxq4VC9hH+45PoV6wUL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2036	EXE_temp0.exe
2772	EXE_temp1.exe
2136	vx_vx_111.exe

Loads dropped DLL 15 IoCs

pid	Process
2456	7b316fd93934973eecae501de07b2548.exe
2456	7b316fd93934973eecae501de07b2548.exe
2456	7b316fd93934973eecae501de07b2548.exe
2456	7b316fd93934973eecae501de07b2548.exe
2036	EXE_temp0.exe
2036	EXE_temp0.exe
2036	EXE_temp0.exe
2136	vx_vx_111.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000014c1d-9.dat	upx
behavioral1/memory/2036-18-0x0000000002790000-0x0000000002B35000-memory.dmp	upx
behavioral1/memory/2136-19-0x0000000001000000-0x00000000013A5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	EXE_temp0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2840	2136	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	EXE_temp1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2772	EXE_temp1.exe
2772	EXE_temp1.exe
2772	EXE_temp1.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2036	2456	7b316fd93934973eecae501de07b2548.exe	28
PID 2456 wrote to memory of 2772	2456	7b316fd93934973eecae501de07b2548.exe	29
PID 2456 wrote to memory of 2772	2456	7b316fd93934973eecae501de07b2548.exe	29
PID 2456 wrote to memory of 2772	2456	7b316fd93934973eecae501de07b2548.exe	29
PID 2456 wrote to memory of 2772	2456	7b316fd93934973eecae501de07b2548.exe	29
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2036 wrote to memory of 2136	2036	EXE_temp0.exe	30
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31
PID 2136 wrote to memory of 2840	2136	vx_vx_111.exe	31

C:\Users\Admin\AppData\Local\Temp\7b316fd93934973eecae501de07b2548.exe
"C:\Users\Admin\AppData\Local\Temp\7b316fd93934973eecae501de07b2548.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe
  "C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_vx_111.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_vx_111.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2840
- C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe
  "C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\EXE_temp0.exe

Filesize
695KB

MD5
75a9c2c95fa7e017c60ec43a6e58ebc5

SHA1
179fbeabafe4b9c1ed896a0ae83c1fc2fe753261

SHA256
0d4853af65841c11910a85d10bb9f751636fc08c8c81b459660b500e004c6692

SHA512
1404abd3e989d3e01c3e0c1c0be5c7d6ecbd1ac80c0ffb49aa3f40f8a2d7f6c48018f13d5fcc465dbeaeaac8755d0ccae43e9de1e2aa14d842969b814a1959b5

Download Submit
\Users\Admin\AppData\Local\Temp\EXE_temp1.exe

Filesize
696KB

MD5
6fb6a85948b27c190a054cd8ce7e41f8

SHA1
075a122dd2fb76f245eae41b6daff359497611e5

SHA256
ed367f7a13b5bb2349f0890f4702cef02beaea4de5e6ded4844b3c63c7e351f9

SHA512
24068f37a98665bb97987a947e189aec287e714d67ca5cb0464c6f1467c53a5bfe708481b8f21eb17bf7e113d7055bd656bd078fe28a7cd5afaddc39bf85760d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_vx_111.exe

Filesize
637KB

MD5
49feaf02d7848e3ea314d8383a2c6db7

SHA1
54bd0f2e44eac218460088603b213f119249a549

SHA256
3c2ab354f1c2a2cca58d2f73709661cb3212cc3ba4138125ab55245d82fb45ef

SHA512
317d0fc1208625ad18b2ce3ee59b5a02df1c08cdaa535020af228ffa76527b0be3d74c81aa7cb9f6ebc8c3f08cbee255fe734114a9be671762eca781ff0a9a53

Download Submit
memory/2036-18-0x0000000002790000-0x0000000002B35000-memory.dmp

Filesize
3.6MB

Download
memory/2136-19-0x0000000001000000-0x00000000013A5000-memory.dmp

Filesize
3.6MB

Download
memory/2136-20-0x0000000000A30000-0x0000000000DD5000-memory.dmp

Filesize
3.6MB

Download
memory/2136-30-0x0000000000A30000-0x0000000000DD5000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads