a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778

Analysis

max time kernel
159s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe
Size

105KB
MD5

1026874fd64a4fa33e7ec6daf31c70c0
SHA1

69aaaaee4d6103e9be220fcb402405087f0feea2
SHA256

a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778
SHA512

529a9bb114575d4caeaa3dc7fda7baf98dd2eaaacfb3bbe3fdf6811a132ea2299b48f3fb76aa4370e48253ba602ef65accb7fa5eee2e5db11dc2605499ec6747
SSDEEP

1536:gxt26ZcmAgaGW590QszAg/ULZqFqMOxEP5GNWJ1Zpi8f9/L7kGZDTJLey:gx06Zb1cOLqMOm5Gz813NTVB

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1234klsjdc uiar924c af = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe\""	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1234klsjdc uiar924c af = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe\""	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1980	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2740	4952	a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe	81
PID 4952 wrote to memory of 2740	4952	a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe	81
PID 4952 wrote to memory of 2740	4952	a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe	81
PID 2740 wrote to memory of 1980	2740	cmd.exe	83
PID 2740 wrote to memory of 1980	2740	cmd.exe	83
PID 2740 wrote to memory of 1980	2740	cmd.exe	83
PID 2740 wrote to memory of 4712	2740	cmd.exe	84
PID 2740 wrote to memory of 4712	2740	cmd.exe	84
PID 2740 wrote to memory of 4712	2740	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe
"C:\Users\Admin\AppData\Local\Temp\a9cbd3e87f31b5cb3013a46114783cfa74057c2ab3c85792ad4ecaa3267e5778.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 45687Z.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\regedit.exe
    regedit -s 456.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG IMPORT 456.reg
    3⤵
    - Adds Run key to start application
    PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\456.reg

Filesize
252B

MD5
68f8b677ee003308bbd68f5f25e6eb48

SHA1
e39e5a972471a963a6c857b96bd4ea2b2b76472f

SHA256
f326291e2e5b64efcbd07e2439124b5fc35805410c1bee3e0dc7e16c78c687ec

SHA512
4bd987c83d3b908cc50fb55a31e5f2170edf575a0416d6bbf0a87d1e2c831c316ed9e5804b788e52b76357be0f6be7f9ea9fab886ba5a41a8f04d22407746677

Download Submit
C:\Users\Admin\AppData\Local\Temp\45687Z.bat

Filesize
77B

MD5
4b87e56f817da0475aeb9f2772c2d741

SHA1
e4454a3ff4c071ae952a1aef687df0d254c9eebd

SHA256
038f4f64cfe0c16683a24d009e4dfbc4abe55915a75b5eb6098eb7c36c441903

SHA512
e10931dde06ae51586a251b393be8ee60b19c968dcd2468b079d20a2efbfca7b2fad35a5f1b04305022f222cb2a2656c31c88c67e25b0b802587b6d19b11f4f2

Download Submit
memory/1980-134-0x0000000000000000-mapping.dmp

Download
memory/2740-132-0x0000000000000000-mapping.dmp

Download
memory/4712-136-0x0000000000000000-mapping.dmp

Download