747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6ef

General

Target

747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe
Size

380KB
MD5

9276f7a511040c89e5be74c4c87154c0
SHA1

f51c5e8650a4d1ae553c686c6c5e351a429c2458
SHA256

747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6ef
SHA512

01c3f9c03525132ad8655254f17d72fa25d5d21dc6295b18027ca86da4f1fcfd01d90759fc5a60510c60ab348f8d3a68c076fe528b3b29d843ef49c15a21295c
SSDEEP

6144:BkLYyvZFsjpHQvXrlHyJzVJot3aERiLTwEYYs1Z:BkLYyourOWaE0TGY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	sysctl.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\realex.exe \"%1\" %*"	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysctl.exe = "C:\\Windows\\system32\\sysctl.exe"	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysctl.exe	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe
File created	C:\Windows\SysWOW64\realex.exe	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2528	2724	WerFault.exe	82
1304	1960	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysctl.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\realex.exe \"%1\" %*"	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2724	1960	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe	82
PID 1960 wrote to memory of 2724	1960	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe	82
PID 1960 wrote to memory of 2724	1960	747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe	82

C:\Users\Admin\AppData\Local\Temp\747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe
"C:\Users\Admin\AppData\Local\Temp\747e22115172dfa6b3a4254e15ac5cb904320e75a2977df9b3a0c51bf3f5d6efN.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\sysctl.exe
  C:\Windows\system32\sysctl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 460
    3⤵
    - Program crash
    PID:2528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 472
  2⤵
  - Program crash
  PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2724 -ip 2724
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1960 -ip 1960
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysctl.exe

Filesize
381KB

MD5
770cdde1156466aa91aa39b52c036f1d

SHA1
1c3c9725ebbb6284c3b6f8791c80cdba2d9248a6

SHA256
be6cdb73354f832255134b77b318ac20d9039eb199860221cfba14d20abcce12

SHA512
bb17f2c207f227177c6600bd6cba773b0cd6face3f794e497d2f1cd8f33f30dbea5824afadc7c879bf0216ba64faac8d1b57da579eafa7085b089b0873281f5a

Download Submit
memory/1960-0-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1960-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2724-6-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2724-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads