b8de78eb25d54d04ed2e4d7a7197a7897cdb09d6e9cf97b1057d2ee2a963da30

General

Target

b5d087b9dfdca42476868714c6655430N.exe
Size

735KB
MD5

b5d087b9dfdca42476868714c6655430
SHA1

5f0e9dd41e5107d365c22a686c44e1605ee7494b
SHA256

b8de78eb25d54d04ed2e4d7a7197a7897cdb09d6e9cf97b1057d2ee2a963da30
SHA512

9925af1a5bc766b6ef4892eef92f91a7eecdf911ae599b6c9d3a03c99fa43582965592736ea69f38b5f6830a1c818c0fc0461a7d2ad6cb790a7a8813351fdb98
SSDEEP

12288:LRLkNj2yW0cccgH16oYJRt6365ya+pmrMjE5rZkXrLz2P0cwTb8dK:LR4VgDU6oYJRc65dT6YsPSMcwTb8o

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	netstart.exe

Loads dropped DLL 5 IoCs

pid	Process
2316	b5d087b9dfdca42476868714c6655430N.exe
2316	b5d087b9dfdca42476868714c6655430N.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_netstart.exe	netstart.exe
File opened for modification	C:\Windows\SysWOW64\_netstart.exe	netstart.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 1224	2324	netstart.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\netstart.exe	b5d087b9dfdca42476868714c6655430N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\netstart.exe	b5d087b9dfdca42476868714c6655430N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	b5d087b9dfdca42476868714c6655430N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2244	2324	WerFault.exe	31

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2324	2316	b5d087b9dfdca42476868714c6655430N.exe	31
PID 2316 wrote to memory of 2324	2316	b5d087b9dfdca42476868714c6655430N.exe	31
PID 2316 wrote to memory of 2324	2316	b5d087b9dfdca42476868714c6655430N.exe	31
PID 2316 wrote to memory of 2324	2316	b5d087b9dfdca42476868714c6655430N.exe	31
PID 2324 wrote to memory of 1224	2324	netstart.exe	32
PID 2324 wrote to memory of 1224	2324	netstart.exe	32
PID 2324 wrote to memory of 1224	2324	netstart.exe	32
PID 2324 wrote to memory of 1224	2324	netstart.exe	32
PID 2324 wrote to memory of 1224	2324	netstart.exe	32
PID 2324 wrote to memory of 1224	2324	netstart.exe	32
PID 2324 wrote to memory of 2244	2324	netstart.exe	33
PID 2324 wrote to memory of 2244	2324	netstart.exe	33
PID 2324 wrote to memory of 2244	2324	netstart.exe	33
PID 2324 wrote to memory of 2244	2324	netstart.exe	33
PID 2316 wrote to memory of 2804	2316	b5d087b9dfdca42476868714c6655430N.exe	34
PID 2316 wrote to memory of 2804	2316	b5d087b9dfdca42476868714c6655430N.exe	34
PID 2316 wrote to memory of 2804	2316	b5d087b9dfdca42476868714c6655430N.exe	34
PID 2316 wrote to memory of 2804	2316	b5d087b9dfdca42476868714c6655430N.exe	34

C:\Users\Admin\AppData\Local\Temp\b5d087b9dfdca42476868714c6655430N.exe
"C:\Users\Admin\AppData\Local\Temp\b5d087b9dfdca42476868714c6655430N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\netstart.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\netstart.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

Filesize
186B

MD5
53111cfdcf8007fe40565b240a849e1f

SHA1
d19097797525a77d5ee564ae4c086fd3a1e0ce38

SHA256
ae88aba150a18ee4a1336507ffc952a131dfdddef639b63fd5e166aca9dd1e8c

SHA512
4ef5e349a94b7e336c5f021ff59437c3c81bbd8c2813a553825da5ee3f6c4f9e655bd013d27aeb2649be65e2a6941dae8c315d29fdde2df26e1c57b23911ca01

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\netstart.exe

Filesize
735KB

MD5
b5d087b9dfdca42476868714c6655430

SHA1
5f0e9dd41e5107d365c22a686c44e1605ee7494b

SHA256
b8de78eb25d54d04ed2e4d7a7197a7897cdb09d6e9cf97b1057d2ee2a963da30

SHA512
9925af1a5bc766b6ef4892eef92f91a7eecdf911ae599b6c9d3a03c99fa43582965592736ea69f38b5f6830a1c818c0fc0461a7d2ad6cb790a7a8813351fdb98

Download Submit
memory/1224-16-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1224-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1224-18-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2316-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2316-23-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2316-36-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2324-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2324-24-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing