Overview

overview

6

Static

static

de49d71581...3f.exe

windows7-x64

6

de49d71581...3f.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    91s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de49d7158104096ac628c50715025cd04444a388bae291545ad459e15a18ff3f.exe

  • Size

    100KB

  • MD5

    6a069d49f1eeef0fd12b2095c9174e42

  • SHA1

    598ed606248c083bbffb668b00bb55126e0ab4f4

  • SHA256

    de49d7158104096ac628c50715025cd04444a388bae291545ad459e15a18ff3f

  • SHA512

    fa46b08583d2a3d0ff63262570887fb97d0b1538795aa4e0612b6d351875b91554c2f77bdb3cc5b4bfe3ab61c77bc9218553141fc1cf6921058e656428c8fe8e

  • SSDEEP

    1536:7HUHWhVMPNzMh0QpFZyOSAYZRx6ik9ld8rAzt3i6EBXlLOUp:I9k0QpFZyOSAYZRx6iDrhLOUp

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de49d7158104096ac628c50715025cd04444a388bae291545ad459e15a18ff3f.exe
    "C:\Users\Admin\AppData\Local\Temp\de49d7158104096ac628c50715025cd04444a388bae291545ad459e15a18ff3f.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1324
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4376-132-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4376-139-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download