ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0

Analysis

max time kernel
35s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe
Size

109KB
MD5

6750f2900f1f55d116e28fa9e14fdd70
SHA1

7d25e23bed9437ea9fce2d755fdb66e2a14cef7b
SHA256

ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0
SHA512

a4981e790a857ce41a61c3f074f64340d122f1f6e6b4dc2ff034dbc2052988938c36d4a4f9c79416bca453bed83b9784323fe1bd0242d1a0c66dc632716fd4f0
SSDEEP

3072:E8EE5iHmnKlX1M625h1uDxUa47fMRVCupYKSDADeak7dJHB/AoV:Ev+XKzJVSsQLH5Ao

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1476	1388	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe	26
PID 1388 wrote to memory of 1476	1388	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe	26
PID 1388 wrote to memory of 1476	1388	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe	26
PID 1388 wrote to memory of 1476	1388	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe	26
PID 1388 wrote to memory of 1396	1388	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe	14
PID 1388 wrote to memory of 1396	1388	ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe
  "C:\Users\Admin\AppData\Local\Temp\ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe
    "C:\Users\Admin\AppData\Local\Temp\ea3f74d703f332844a21d841f3091dd26308bb46b497ec2afca5dcb3de36fea0.exe"
    3⤵
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-54-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1388-58-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download
memory/1396-56-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download