581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147

Analysis

max time kernel
131s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 17:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe
Size

32KB
MD5

025769d558816ddfc6d580b056a87460
SHA1

e1f808922308eb9f75dee7c431c92c61990f1543
SHA256

581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147
SHA512

989d3b0e6a74b68cc823b8080d4bf088c7ec6608794f09180940c23c5093355eada1d026ebab2229ae95b6fb166129bf547bd1e31d9fc224ecb1f7cd2df1bfd5
SSDEEP

384:f98xUHQ38/U5Oxy4/q8zLeiU0erv2qyaNMCoNEeRcGOrnhJuE0Mudig:Ww5wyBqopY2qyqtGO793ukg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3136	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
860	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe
860	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3136	860	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	82
PID 860 wrote to memory of 3136	860	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	82
PID 860 wrote to memory of 3136	860	581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe	82

C:\Users\Admin\AppData\Local\Temp\581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe
"C:\Users\Admin\AppData\Local\Temp\581728743d21a5d0357ee3857cd010ac57f876f0cc5056e3ea5aed504f5f9147.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
166B

MD5
f44153ef26be29552cf320325ad8b72e

SHA1
74ac72ba2ff0f871e59b11c95ad707372662370c

SHA256
767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f

SHA512
1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

Download Submit
memory/860-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/860-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download