de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 21:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Size

85KB
MD5

9599b364669e3272f6fb111709e5e5ee
SHA1

8f14264b83738db5f2edd30471cf40d6b95b7c57
SHA256

de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a
SHA512

8a1482fe8c4bf71e5fea5e735c7fe2f1213afbb56ed115917dfa1d169670d97f7a1ba6ce40ffa6cc352f75a879de3034166d3d5ee3b5f8a12165f566980b85bd
SSDEEP

1536:vQAreYjXl+NdsEJ+P7qQoRhWyoVp+tKBz:4Arbj6sEJWCHcAk

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\services = "C:\\Users\\Admin\\AppData\\Roaming\\win32hlp.exe"	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\services = "C:\\Users\\Admin\\AppData\\Roaming\\win32hlp.exe"	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Users\\Admin\\AppData\\Roaming\\win32hlp.exe"	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Users\\Admin\\AppData\\Roaming\\win32hlp.exe"	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1660	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
1660	de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe

C:\Users\Admin\AppData\Local\Temp\de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe
"C:\Users\Admin\AppData\Local\Temp\de3cdacfd4e894b2fcd65a5ec7d8aa6e0b82fbf899d71e115f9a5f065e3ce52a.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads