18d873a380943c2ffc9dda8801adbe6fd7638451c6e2f3be018b69d77cf3e3b9

Analysis

max time kernel
186s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SETUP-~2.exe
Size

413KB
MD5

7c6bf4432d3609cd6f9f3bce71374e9c
SHA1

b12fbfaed3d47791cca2bcaa45f658dcd38e75ef
SHA256

af485461b5c9d5afd1e085e8572a035b9fb5731092ac985cb09b801dbaa24912
SHA512

b5b648031846438b7a3b12dcd112138af49e189c2efbbcf45b8d468d539bac4f9640ef4f5cc7d6a9694b67d567f2b3e56f58ae00bd6670e71a7e3cda7964928a
SSDEEP

6144:BrBBrVKcGnwv3RbNPsuIeZyl6MgecSMJg8ZFiJrtaYYmjXBTbXGZJQBqlQ:zB5K5nwv31+eZyzgPnJgTtaYxXBXGlQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4204	avmon.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avmon.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "c:\\avmon.com"	avmon.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4204	avmon.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 4204	1572	SETUP-~2.exe	78
PID 1572 wrote to memory of 4204	1572	SETUP-~2.exe	78
PID 1572 wrote to memory of 4204	1572	SETUP-~2.exe	78

C:\Users\Admin\AppData\Local\Temp\SETUP-~2.exe
"C:\Users\Admin\AppData\Local\Temp\SETUP-~2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- \??\c:\avmon.com
  c:\avmon.com
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\avmon.com

Filesize
412KB

MD5
8edea4928232d3437897b507cc471e6b

SHA1
bc6dcb3ec24d100dd1bb6cc13ab23b0c75d12939

SHA256
33b47b1663c8ffc0e4da1c1c0e4c12852008bfbd4003aab316ac63fe58cbc57c

SHA512
bea0d8e81fd94840c805c3369a7780a8a07f501ea858dd683c6bd2c7f96be55027ef9d5a990b5ad496ec5016cbf95f9f71c6e6e9f3126dcfd0f6cfc420fcadbe

Download Submit
\??\c:\avmon.com

Filesize
412KB

MD5
8edea4928232d3437897b507cc471e6b

SHA1
bc6dcb3ec24d100dd1bb6cc13ab23b0c75d12939

SHA256
33b47b1663c8ffc0e4da1c1c0e4c12852008bfbd4003aab316ac63fe58cbc57c

SHA512
bea0d8e81fd94840c805c3369a7780a8a07f501ea858dd683c6bd2c7f96be55027ef9d5a990b5ad496ec5016cbf95f9f71c6e6e9f3126dcfd0f6cfc420fcadbe

Download Submit