Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 14:45
Behavioral task
behavioral1
Sample
ce50c98a22c5bad5e0e92f23ab016967.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ce50c98a22c5bad5e0e92f23ab016967.exe
Resource
win10v2004-20240226-en
General
-
Target
ce50c98a22c5bad5e0e92f23ab016967.exe
-
Size
782KB
-
MD5
ce50c98a22c5bad5e0e92f23ab016967
-
SHA1
5ec869520c04a4849c09abc96ccc71a584cad4a7
-
SHA256
417ec4ca38a56f66564399c5067336b48a9bb808a723c7dadc02b0632195b3a7
-
SHA512
25641990de79254226cf872de83a11c55971101d95782f607e686cc4edaf8ef410ab7df1a0f17b8e90caf85d5ca1742e5cf83e8553159ce911d864685d6b1630
-
SSDEEP
12288:dcQAwMhqkdhJn1mmv+e3HeVk6gCDBsn//FezmlGTlIMUiR5d0YCtTbrVoSq058an:63fHfJ1Pv+omkFnwz/eT+DNFHZDcn3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1212 XPLOIT~1.EXE 2592 crack.exe -
Loads dropped DLL 15 IoCs
pid Process 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 1212 XPLOIT~1.EXE 1212 XPLOIT~1.EXE 1212 XPLOIT~1.EXE 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 2592 crack.exe 2592 crack.exe 2592 crack.exe 2488 WerFault.exe 2488 WerFault.exe 2488 WerFault.exe 2488 WerFault.exe 2488 WerFault.exe -
resource yara_rule behavioral1/memory/1336-0-0x0000000001000000-0x0000000001103000-memory.dmp upx behavioral1/memory/1336-40-0x0000000001000000-0x0000000001103000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ce50c98a22c5bad5e0e92f23ab016967.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2488 2592 WerFault.exe 29 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1212 XPLOIT~1.EXE 2592 crack.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 1212 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 28 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 1336 wrote to memory of 2592 1336 ce50c98a22c5bad5e0e92f23ab016967.exe 29 PID 2592 wrote to memory of 2488 2592 crack.exe 30 PID 2592 wrote to memory of 2488 2592 crack.exe 30 PID 2592 wrote to memory of 2488 2592 crack.exe 30 PID 2592 wrote to memory of 2488 2592 crack.exe 30 PID 2592 wrote to memory of 2488 2592 crack.exe 30 PID 2592 wrote to memory of 2488 2592 crack.exe 30 PID 2592 wrote to memory of 2488 2592 crack.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce50c98a22c5bad5e0e92f23ab016967.exe"C:\Users\Admin\AppData\Local\Temp\ce50c98a22c5bad5e0e92f23ab016967.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLOIT~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLOIT~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crack.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crack.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 3243⤵
- Loads dropped DLL
- Program crash
PID:2488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556KB
MD511be018263858c59bfec03a9fc1bb826
SHA14f3b82b37da3ec714fdc564d8cf0f887dc138da7
SHA25617530fd226aafaa13ec34609cf5387932c67120a6e36c7a8d036e3ca4a0e5c25
SHA512c75391a246e052076a8d45c86530e628e9ffd9e9d405ed7e6b4ce57c4a9b4dc336d03fdc8800cb62cc0ea09ec83027617f0af7059da352d84b39bc0bdb487cb2
-
Filesize
324KB
MD5adbcb556aabf27758191f3be3f466c36
SHA174020b415c530cfe3936f7a93304fcf0e95e2d6d
SHA2566b3b92061e7424d098067feaf3faa976d9ae4212cb32e726fc7b166eb1427335
SHA51234d0b7eafa22666d18f224bddc42c21288d2c6fd93c58be88637410318b60980cd08d2a839e2f6cf313541c6263da2787cbe8627ce5980d78c3f3e0cdd9cb5de