Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 08:58
General
-
Target
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe
-
Size
463KB
-
MD5
a603a8a69bbcd08f4899a605ab1c68e4
-
SHA1
59f7a2f88a8a3fc13f685672b72506b28ba1614e
-
SHA256
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
-
SHA512
367238cbdaadbfbe42e08da5596f44efb00844505b7a415a57fd3a2d969b8ca83ac4b6ab3c0a4f6c348d9fec0229baee760bb0798768325710a7e70a3f8a4612
Malware Config
Signatures
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exepid process 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.execmd.exedescription pid process target process PID 2428 wrote to memory of 2580 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 2428 wrote to memory of 2580 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 2428 wrote to memory of 2580 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 2428 wrote to memory of 2688 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 2428 wrote to memory of 2688 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 2428 wrote to memory of 2688 2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 2580 wrote to memory of 3460 2580 cmd.exe reg.exe PID 2580 wrote to memory of 3460 2580 cmd.exe reg.exe PID 2580 wrote to memory of 3460 2580 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe"C:\Users\Admin\AppData\Local\Temp\4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe2⤵