eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 05:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe
Size

596KB
MD5

4266921e3b60460afcc46ace73cbd575
SHA1

c2c959451db765f70fd280a6377a71d4f63f8289
SHA256

eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea
SHA512

afc5a9bb2e09768a487f9eb0d06654d0c22708ebbc59227e7e45cc768123aab8538b4789d406ad6a2943f0be330f85b7a7e4a4faee05778c40fde6e5ae289339
SSDEEP

12288:T3eepe+ICi903zWXGdPsOjzudd0gjWulMJ2YQirWis:6skCi903zWXGdPIdd0gjWulMJ2YQirWp

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5028	reg.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 4364 wrote to memory of 684	4364	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	78
PID 684 wrote to memory of 4768	684	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	79
PID 684 wrote to memory of 4768	684	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	79
PID 684 wrote to memory of 4768	684	eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe	79
PID 4768 wrote to memory of 5028	4768	cmd.exe	81
PID 4768 wrote to memory of 5028	4768	cmd.exe	81
PID 4768 wrote to memory of 5028	4768	cmd.exe	81
PID 4768 wrote to memory of 596	4768	cmd.exe	82
PID 4768 wrote to memory of 596	4768	cmd.exe	82
PID 4768 wrote to memory of 596	4768	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe
"C:\Users\Admin\AppData\Local\Temp\eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe
  "C:\Users\Admin\AppData\Local\Temp\eaf79ed64e4858a3a28e0a6a84685d1e06ddb485792e42427da5a438fc9d3aea.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:5028
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
memory/684-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download