aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b

Analysis

max time kernel
141s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe
Size

277KB
MD5

62fc68c75d19a8a66eeef9b61bbce766
SHA1

1d67340fed03ccf01d1abcff762304cb3c6d4eac
SHA256

aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b
SHA512

ecce735d963cc68cc21a76ad9590a0f6ea745dc572e1844992e18d10b18a5240c96769b2d4643d35eec1447b2a5f1f6a10f3aa7b0b6e9349b08f76b26df549e2
SSDEEP

6144:Kqow3LNNg0NYBxjzhjVAo0uY/W/Z9sPLZ3D/Nw1ykq:l3Hg0NYBxXhjR0uY/W/ctSsP

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CoreLoad\ImagePath = "\\??\\C:\\Windows\\system32\\CoreLoad\\CoreLoad.sys"	aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CoreLoad\CoreLoad.sys	aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4204	aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4204	aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe

C:\Users\Admin\AppData\Local\Temp\aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe
"C:\Users\Admin\AppData\Local\Temp\aaa0984f4f47742ed954891c1f117da700c44b3099a7006af59e9c16945be77b.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4204-135-0x0000000000B00000-0x0000000000B6F000-memory.dmp

Filesize
444KB

Download
memory/4204-136-0x0000000000B00000-0x0000000000B6F000-memory.dmp

Filesize
444KB

Download
memory/4204-137-0x0000000000B00000-0x0000000000B6F000-memory.dmp

Filesize
444KB

Download