ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b

Analysis

max time kernel
12s
max time network
3s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe
Size

31KB
MD5

3eec2ee2e5a6889c765aa4a93aa2fce4
SHA1

3afe5124aa86f3d0c0d47522d67dd43a0b0ebded
SHA256

ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b
SHA512

9f041ac50175a58ad721424985d4a3d46f526fb62c32862beeca77095b20a913bfea6baaa44ee34223bac7ad4c9e846abfac62b7489280e6a424d47bda9f5269
SSDEEP

768:fAzJqGhQxIpEf+HZjn+xHFCeym0vFug7VD8S:WJqKQqpEIZr08et0vFug7x

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xydzyh = "C:\\Windows\\system32\\xydzyh.exe"	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xydzyh.exe	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe
File created	C:\Windows\SysWOW64\xydzyh.exe	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1404	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe
1404	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3004	1404	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe	61
PID 1404 wrote to memory of 1868	1404	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe	75
PID 1404 wrote to memory of 1868	1404	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe	75
PID 1404 wrote to memory of 1868	1404	ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe	75

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3004
- C:\Users\Admin\AppData\Local\Temp\ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe
  "C:\Users\Admin\AppData\Local\Temp\ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe_deleteme.bat
    3⤵
    PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ef51291aef993ff16a500bdf654a3eaf3cec38c0cf4749ddcbb0b87c464c463b.exe_deleteme.bat

Filesize
248B

MD5
9b85a034b6ac9bc273e634a3e7157e3b

SHA1
b12cfe0dc456db63592a2bdf724d8e5a76467916

SHA256
11c15cbb96029f6c5d59f1f13971ec730c889df7b23e0a694e33443f356f91c2

SHA512
5b7efdcda4560318e24dfb7f166d37d415298dbfd13faa68bc3c74ff43907d670577191567263968c01f24f09d5d63be2a843f866d3e74f0fd79cdbe4e497550

Download Submit