4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

Analysis

max time kernel
18s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-Scan-Documents00012910993993.exe
Size

177KB
MD5

a2c17f6556ae89a8a1683f889bffc7e9
SHA1

cf2aa59cc8e074dfd3d72b052beef746aba1fe6a
SHA256

4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
SHA512

9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO-Scan-Documents00012910993993.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PO-Scan-Documents00012910993993.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	PO-Scan-Documents00012910993993.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO-Scan-Documents00012910993993.exePO-Scan-Documents00012910993993.exe

description	pid	process	target process
PID 1668 wrote to memory of 980	1668	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 1668 wrote to memory of 980	1668	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 1668 wrote to memory of 980	1668	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 1668 wrote to memory of 980	1668	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 980 wrote to memory of 620	980	PO-Scan-Documents00012910993993.exe	WScript.exe
PID 980 wrote to memory of 620	980	PO-Scan-Documents00012910993993.exe	WScript.exe
PID 980 wrote to memory of 620	980	PO-Scan-Documents00012910993993.exe	WScript.exe
PID 980 wrote to memory of 620	980	PO-Scan-Documents00012910993993.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe
"C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe
"C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
PID:620

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
524e5fb562a4a117eda856bee5262bf8

SHA1
4f9236e6ece562bb70fff0ce0c77d740fe326885

SHA256
338e7e9704fb5fa59369b7c32b1d096308e6d7b4a769ce0c4c37d029e1afe29c

SHA512
47f153e9406e3d49c54db4ff56c4e62fc9e0569c61afb69d76c1c55f87f978cd93c734b359773bb2b3b302b99a96595e43afe5f093f8347dcd22f57aa99eb43e

Download Submit
memory/620-3-0x0000000000000000-mapping.dmp

Download
memory/980-2-0x0000000000000000-mapping.dmp

Download