13c92f9848f3f43f42a7e9882144b8229d17dee27fb52b05bba9f8c8e417a529

General

Target

89e10dab0f6e6787265ae69efe2eea33.exe
Size

860KB
MD5

89e10dab0f6e6787265ae69efe2eea33
SHA1

b83bd1340099a6b66b5b2b2551b836982b4615a7
SHA256

13c92f9848f3f43f42a7e9882144b8229d17dee27fb52b05bba9f8c8e417a529
SHA512

3dbbaebba88d6e4f91de1958c10b1d04e48f5b5576ad90f5fe9c971d223b6e77fcec367530b7ca3b41aa23fe3245c385f9c6ca9392d9632d7a4a40c13af32bf7
SSDEEP

12288:1ynJ/2UZ6w9gaTHcJjdWP7av5YVP6JPrDbJm8drYE1ovmt7KPrUyN:1msUZ5gaorWPGauzDbJmARoNUi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe
2836	dat.exe
2872	vx_6.exe

Loads dropped DLL 12 IoCs

pid	Process
2980	89e10dab0f6e6787265ae69efe2eea33.exe
2980	89e10dab0f6e6787265ae69efe2eea33.exe
2980	89e10dab0f6e6787265ae69efe2eea33.exe
2980	89e10dab0f6e6787265ae69efe2eea33.exe
2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe
2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe
2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe
2872	vx_6.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015ca3-27.dat	upx
behavioral1/memory/2872-38-0x0000000000400000-0x000000000055A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2872	WerFault.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2768	2980	89e10dab0f6e6787265ae69efe2eea33.exe	28
PID 2980 wrote to memory of 2836	2980	89e10dab0f6e6787265ae69efe2eea33.exe	29
PID 2980 wrote to memory of 2836	2980	89e10dab0f6e6787265ae69efe2eea33.exe	29
PID 2980 wrote to memory of 2836	2980	89e10dab0f6e6787265ae69efe2eea33.exe	29
PID 2980 wrote to memory of 2836	2980	89e10dab0f6e6787265ae69efe2eea33.exe	29
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2768 wrote to memory of 2872	2768	±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe	30
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31
PID 2872 wrote to memory of 2760	2872	vx_6.exe	31

C:\Users\Admin\AppData\Local\Temp\89e10dab0f6e6787265ae69efe2eea33.exe
"C:\Users\Admin\AppData\Local\Temp\89e10dab0f6e6787265ae69efe2eea33.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe
  "C:\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2760
- C:\Users\Admin\AppData\Local\Temp\dat.exe
  "C:\Users\Admin\AppData\Local\Temp\dat.exe"
  2⤵
  - Executes dropped EXE
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exe

Filesize
456KB

MD5
7e178a5140bef6ab279fc248fcecf2e1

SHA1
ef1379d1d6a8bb10bfdba97e52468982ab820d9f

SHA256
52edf0107d04ce02afad02b5b79278f47acca980ce4212a1380090688c438091

SHA512
5be068e01483ddab80a29aa2c7c8f7e59c19a1cd6947ef25da9af39a18f93417c0ff035b800b84c049993c26be6153e6db3a7a324a76ed1811d7b6c5e63a861c

Download Submit
\Users\Admin\AppData\Local\Temp\dat.exe

Filesize
129KB

MD5
818c105a1f47d3684c567b795ab28ce1

SHA1
682deb84809209982daa1ae46d6e461bab6fe6ed

SHA256
8a994deda87e60751ade51c99ad4d34dd2abf774cd9b169cfbddb8b5c8681333

SHA512
5a17e32e9ec6f2531ce260a14994fa4f909c9133a445f312d7308dc9f351725abbeb45b27d47c3c1b56b97b89db2fd8ba309fdc194c54d83b852a02092b60e63

Download Submit
\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe

Filesize
601KB

MD5
e32032ba8cf97310410cc283df875e18

SHA1
a879010e5d795886dfd6e2252a66ec4ecf12321e

SHA256
ef00fb802e86aee48f68fce5e910ba10ebd05648ee9a639ed38ce16ebe3ac923

SHA512
c175b6bce65ad3a0dd36a2ec66c998fd844adaa5beb195c5ed9a04f63329ab011c62534164e6a9b7fff9f2c61a656a84db04db02ece56e8ac28d54b186fdc22c

Download Submit
memory/2768-33-0x0000000000930000-0x0000000000A8A000-memory.dmp

Filesize
1.4MB

Download
memory/2768-37-0x0000000000930000-0x0000000000A8A000-memory.dmp

Filesize
1.4MB

Download
memory/2836-21-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2872-38-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2980-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads