4a0a3e22f43c7579d9108f93de2d5e755fb23ae67c910278af76cf77afff3654

General

Target

7e2a06ab8b923fc928f0cd9a6ed745c2.exe
Size

136KB
MD5

7e2a06ab8b923fc928f0cd9a6ed745c2
SHA1

01c08af6213c86e0b75e93cd497fa51e4cacb34c
SHA256

4a0a3e22f43c7579d9108f93de2d5e755fb23ae67c910278af76cf77afff3654
SHA512

dcb6d2c460e48580efb6b17fb0f1e9027a14d2f273e756e2f5cc11478a901273109853bde3ab55de9ddec7dabc0952e74c9962ea1f72dab2e99417374c217214
SSDEEP

3072:AOqbgt6rdx5chjgMVYvEJnateb8SVPIR+x/Kr:cbd+3CvUatjS0+tKr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2572	taskhost.exe
4792	taskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	7e2a06ab8b923fc928f0cd9a6ed745c2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 3864	2336	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	25
PID 2572 set thread context of 4792	2572	taskhost.exe	21

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3552	2336	WerFault.exe	14
3116	2572	WerFault.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3864	2336	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	25
PID 2336 wrote to memory of 3864	2336	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	25
PID 2336 wrote to memory of 3864	2336	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	25
PID 2336 wrote to memory of 3864	2336	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	25
PID 2336 wrote to memory of 3864	2336	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	25
PID 3864 wrote to memory of 2572	3864	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	22
PID 3864 wrote to memory of 2572	3864	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	22
PID 3864 wrote to memory of 2572	3864	7e2a06ab8b923fc928f0cd9a6ed745c2.exe	22
PID 2572 wrote to memory of 4792	2572	taskhost.exe	21
PID 2572 wrote to memory of 4792	2572	taskhost.exe	21
PID 2572 wrote to memory of 4792	2572	taskhost.exe	21
PID 2572 wrote to memory of 4792	2572	taskhost.exe	21
PID 2572 wrote to memory of 4792	2572	taskhost.exe	21

C:\Users\Admin\AppData\Local\Temp\7e2a06ab8b923fc928f0cd9a6ed745c2.exe
"C:\Users\Admin\AppData\Local\Temp\7e2a06ab8b923fc928f0cd9a6ed745c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 296
  2⤵
  - Program crash
  PID:3552
- C:\Users\Admin\AppData\Local\Temp\7e2a06ab8b923fc928f0cd9a6ed745c2.exe
  C:\Users\Admin\AppData\Local\Temp\7e2a06ab8b923fc928f0cd9a6ed745c2.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 292
1⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2572 -ip 2572
1⤵
PID:3968

C:\Users\Admin\AppData\Roaming\taskhost.exe
C:\Users\Admin\AppData\Roaming\taskhost.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Roaming\taskhost.exe
C:\Users\Admin\AppData\Roaming\taskhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2336 -ip 2336
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
65KB

MD5
8471184df3294c3d08884df8fb78bf98

SHA1
e1e4062c68031909d7ee84c1216f61ee2c2af5b5

SHA256
7d04ca1f7684c400415e98d14ddbb35c71f0ffcebd7f97a7121a60083673d974

SHA512
3fbadb56156026b4ce6d089674f652435c1b60bd9b00fb7e5c2786c0534e6858c126c103a2f6e002d5484ccc9668cc50250195fbd46248ff66914475db6addee

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
63KB

MD5
2aca10e56998c4dad50c23bfd74ffc6a

SHA1
981fc97cefef0f91d18c892ffb37239288619a34

SHA256
21b3106c78f60098b195737abbd3bf5137150ab94b9a78d91e901b887b8bed58

SHA512
23485d8f561533ecd9d8c192a31c00dbfdeb559280ae3c798e2547b8769f7ea232cb98564db44704ef97d8f3f06883514b9ddcf9d412a1391e80250f4af65aba

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
12KB

MD5
87621c092d1b29c869f54131f4c7e3c7

SHA1
65dfd55624fba94e9e67cc2e4fae343324b608ad

SHA256
387c6f2c004a77d2b81d130f40bf15b2821d7bccc38b1658405f600baac872af

SHA512
e8c2ddac2ff39ca4216eeaaaa1d58fcfe260f7acb91e47a5903ece6d2f59f9f635a674f30b7aa04bc199e730cc8790ca79fa49b9011c7d32235e332a0c6956cb

Download Submit
memory/2336-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2336-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2572-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2572-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3864-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3864-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3864-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3864-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4792-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4792-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4792-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4792-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads