f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe
Size

192KB
MD5

6042db3e9e1f5addf7967395e10650ef
SHA1

22c75b185e69831b94a4902dcc57e55eb72083ac
SHA256

f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174
SHA512

25918b60ea7aa49d51b6abf3a671399335eacd9cb5db9b6551826ba71ad4297c4409dcf815ce72c15aa1dd426207551042c76d03880f6e0aaed76fa78af35448
SSDEEP

3072:T4bdx7JIo+HNjpMEDJMdR/dBFOcYFbsJpPMTsuZfh:8JMo4iENKzpYFgJpPMwuZ5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
628	vemuni.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	vemuni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	vemuni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	vemuni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\wggrn\\command	vemuni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	vemuni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\wggrn	vemuni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\wggrn	vemuni.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5024	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1128	4176	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	82
PID 4176 wrote to memory of 1128	4176	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	82
PID 4176 wrote to memory of 1128	4176	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	82
PID 1128 wrote to memory of 628	1128	cmd.exe	84
PID 1128 wrote to memory of 628	1128	cmd.exe	84
PID 1128 wrote to memory of 628	1128	cmd.exe	84
PID 1128 wrote to memory of 5024	1128	cmd.exe	85
PID 1128 wrote to memory of 5024	1128	cmd.exe	85
PID 1128 wrote to memory of 5024	1128	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe
"C:\Users\Admin\AppData\Local\Temp\f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vjmzswx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\vemuni.exe
    "C:\Users\Admin\AppData\Local\Temp\vemuni.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:628
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vemuni.exe

Filesize
144KB

MD5
f0d337a0b4252a370203cc7fbc17701c

SHA1
9e25d0e34d4ca0d811a1a87cb6d7278ef1ea9753

SHA256
f62462ae5cf45af8e20e7c9d27c667947aeacadb0ad530112f5a91ae58ca79ee

SHA512
6ce479fde7efea7beb008f50733090f780eeb3d75c4fce2ce61dbf5eb139f8f6a675bf3f5fb9262821fed1ba7cc32a058eb75b8a59417dabc8927eff56e26916

Download Submit
C:\Users\Admin\AppData\Local\Temp\vemuni.exe

Filesize
144KB

MD5
f0d337a0b4252a370203cc7fbc17701c

SHA1
9e25d0e34d4ca0d811a1a87cb6d7278ef1ea9753

SHA256
f62462ae5cf45af8e20e7c9d27c667947aeacadb0ad530112f5a91ae58ca79ee

SHA512
6ce479fde7efea7beb008f50733090f780eeb3d75c4fce2ce61dbf5eb139f8f6a675bf3f5fb9262821fed1ba7cc32a058eb75b8a59417dabc8927eff56e26916

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjmzswx.bat

Filesize
124B

MD5
1ae1c920dd84c28c72f155ac49c4e032

SHA1
88184601a485b8fde8ce3847c96e687d6a5572a7

SHA256
978bfaa7bae9d194cffa6eda7f0ad8981f68c709aba935dcce55f61049ad168e

SHA512
13bcad6c9d870e9e9666c8cae8379ce9c38ec4b8330962ea77f40a45f49677b5abe78813ae9f503d3b8abb506b336737d8262e803ab20603b9b5b88699dc46c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzzsuo.bat

Filesize
188B

MD5
8e4e571873fdf572132210ffa630c734

SHA1
efe2cda56970b85ebc4afa3bb988704c40cb6a3c

SHA256
ec166f80260607bffdf3f2806a20dc704600a0e22d62c518314cae5e5affc351

SHA512
e570bb4456478d320e777c30dc3518539dd498c0eadb6d7078f38254c0565d2c0c33e24e7ac8e775370971e3c4fd799cc3b395d5bbe48db8df71074fe49bbc44

Download Submit
memory/628-135-0x0000000000000000-mapping.dmp

Download
memory/1128-132-0x0000000000000000-mapping.dmp

Download
memory/5024-138-0x0000000000000000-mapping.dmp

Download