2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020

Analysis

max time kernel
140s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe
Size

3.9MB
MD5

2b9a973875657c4cc71a322faba6aad7
SHA1

32cf6d82605844a0c58cdf13df797de5b29f2f4e
SHA256

2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020
SHA512

31a7060b17781821ef32c9f967f6bb6c4af4b60846609f269f5aafa048e14d23a7880cda842cdba23702d0d8412818915c1a0e5cf865b346a8509a8975304e9c
SSDEEP

98304:uYMtRuf0mPSqx1B2eJmbuHJPbAoBSkirDlsLJnQOwvZsUY/:GjlmKABzJkutx4kiDlOnQOOy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp

Kills process with taskkill 5 IoCs

evasion

pid	Process
4132	taskkill.exe
2648	taskkill.exe
3992	taskkill.exe
4344	taskkill.exe
1376	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3332	2176	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe	80
PID 2176 wrote to memory of 3332	2176	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe	80
PID 2176 wrote to memory of 3332	2176	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe	80
PID 3332 wrote to memory of 4400	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	81
PID 3332 wrote to memory of 4400	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	81
PID 3332 wrote to memory of 4400	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	81
PID 4400 wrote to memory of 4344	4400	cmd.exe	83
PID 4400 wrote to memory of 4344	4400	cmd.exe	83
PID 4400 wrote to memory of 4344	4400	cmd.exe	83
PID 3332 wrote to memory of 5092	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	84
PID 3332 wrote to memory of 5092	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	84
PID 3332 wrote to memory of 5092	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	84
PID 5092 wrote to memory of 1376	5092	cmd.exe	86
PID 5092 wrote to memory of 1376	5092	cmd.exe	86
PID 5092 wrote to memory of 1376	5092	cmd.exe	86
PID 3332 wrote to memory of 3348	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	87
PID 3332 wrote to memory of 3348	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	87
PID 3332 wrote to memory of 3348	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	87
PID 3348 wrote to memory of 4132	3348	cmd.exe	89
PID 3348 wrote to memory of 4132	3348	cmd.exe	89
PID 3348 wrote to memory of 4132	3348	cmd.exe	89
PID 3332 wrote to memory of 1812	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	90
PID 3332 wrote to memory of 1812	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	90
PID 3332 wrote to memory of 1812	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	90
PID 1812 wrote to memory of 2648	1812	cmd.exe	92
PID 1812 wrote to memory of 2648	1812	cmd.exe	92
PID 1812 wrote to memory of 2648	1812	cmd.exe	92
PID 3332 wrote to memory of 1420	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	93
PID 3332 wrote to memory of 1420	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	93
PID 3332 wrote to memory of 1420	3332	2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp	93
PID 1420 wrote to memory of 3992	1420	cmd.exe	95
PID 1420 wrote to memory of 3992	1420	cmd.exe	95
PID 1420 wrote to memory of 3992	1420	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe
"C:\Users\Admin\AppData\Local\Temp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\is-GK2KM.tmp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GK2KM.tmp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp" /SL5="$9002C,3760838,95744,C:\Users\Admin\AppData\Local\Temp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /f /im RegGenie.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RegGenie.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /f /im RegGenieScheduler.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RegGenieScheduler.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /f /im RegGenieOnReboot.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RegGenieOnReboot.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /f /im RegGenieOnRebootExpired.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RegGenieOnRebootExpired.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /f /im RegGenieOnUninstall.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im RegGenieOnUninstall.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GK2KM.tmp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp

Filesize
730KB

MD5
fe83e2b6738f44e59abaa29711ee2114

SHA1
05f47673d645c6d3c53bc631b064ac6189b1f988

SHA256
b5071bb34f3f9a08fd47062799f66aa31810c0fd4e7ec1ae4155ac6be28719d3

SHA512
07d6b27b0b61dba51593aa24b43e7f313b66329204e1c72007b96004b12470bd2690ddfc45844d47d82ce8a38f1816d9e323a298e9253634effb840fecdceff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GK2KM.tmp\2a2d5aa515d55d45ee0997d25fde652c8221753e5c55921f6b1b6679fb47f020.tmp

Filesize
730KB

MD5
fe83e2b6738f44e59abaa29711ee2114

SHA1
05f47673d645c6d3c53bc631b064ac6189b1f988

SHA256
b5071bb34f3f9a08fd47062799f66aa31810c0fd4e7ec1ae4155ac6be28719d3

SHA512
07d6b27b0b61dba51593aa24b43e7f313b66329204e1c72007b96004b12470bd2690ddfc45844d47d82ce8a38f1816d9e323a298e9253634effb840fecdceff8

Download Submit
memory/2176-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2176-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2176-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads