581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe
Size

32KB
MD5

025769d558816ddfc6d580b056a87460
SHA1

e1f808922308eb9f75dee7c431c92c61990f1543
SHA256

581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147
SHA512

989d3b0e6a74b68cc823b8080d4bf088c7ec6608794f09180940c23c5093355eada1d026ebab2229ae95b6fb166129bf547bd1e31d9fc224ecb1f7cd2df1bfd5
SSDEEP

384:f98xUHQ38/U5Oxy4/q8zLeiU0erv2qyaNMCoNEeRcGOrnhJuE0Mudig:Ww5wyBqopY2qyqtGO793ukg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMSysApp = "C:\\Users\\Admin\\AppData\\Local\\COMSysApp.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2020	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe
1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28
PID 1896 wrote to memory of 2020	1896	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	28

C:\Users\Admin\AppData\Local\Temp\581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe
"C:\Users\Admin\AppData\Local\Temp\581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
170B

MD5
8d34b34f32539aaa8d6ef96b033fad7b

SHA1
68224bd075fced2add81ee07173ffb4088d3b9c0

SHA256
3b79e9e0dcda0b5ddb0ae7b1aa565b1cdea44e869b0de1fec2257d35041b84f0

SHA512
7ff81cba187e050f140355156585313a2911cbf91d0a265b221dbad0a9f07c04e78a15d7fd5027aec8aa16a2590a2e843b188938d3aaccf1aa96a4be28a4196d

Download Submit
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1896-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1896-57-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1896-58-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1896-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download