7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38

Analysis

max time kernel
146s
max time network
134s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe
Size

148KB
MD5

900961ac130fd170ee31180434a9f891
SHA1

a792b38ca231589e6b489fccd70d0681cb831b04
SHA256

7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38
SHA512

dd58e9cdf5ac1ca655eba7410cbe4cff3527c6d36fbdb03cdcd7fe658d594e85071c054c7ef75da469f22da3686ac8e74306b31f15e72375aa2f071b4e4d7303
SSDEEP

1536:XIiz/7xQSKXuRiAhYvqj/R08ab2gGmpE+xNOvx5b1nY8k4rKyFEgjL:p7KeQAhDrRXab2gceOvbKl4rKyFxL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1660	b0917a1.exe
952	b0917a1.exe

Loads dropped DLL 2 IoCs

pid	Process
940	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe
940	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0917a1 = "C:\\Users\\Admin\\AppData\\Roaming\\b0917a1\\b0917a1.exe"	b0917a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b0917a1 = "C:\\Users\\Admin\\AppData\\Roaming\\b0917a1\\b0917a1.exe"	b0917a1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1660 set thread context of 952	1660	b0917a1.exe	29

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe
816	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	b0917a1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe
1660	b0917a1.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 1368 wrote to memory of 940	1368	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	27
PID 940 wrote to memory of 1660	940	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	28
PID 940 wrote to memory of 1660	940	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	28
PID 940 wrote to memory of 1660	940	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	28
PID 940 wrote to memory of 1660	940	7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe	28
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 1660 wrote to memory of 952	1660	b0917a1.exe	29
PID 952 wrote to memory of 816	952	b0917a1.exe	30
PID 952 wrote to memory of 816	952	b0917a1.exe	30
PID 952 wrote to memory of 816	952	b0917a1.exe	30
PID 952 wrote to memory of 816	952	b0917a1.exe	30
PID 952 wrote to memory of 816	952	b0917a1.exe	30
PID 952 wrote to memory of 816	952	b0917a1.exe	30

C:\Users\Admin\AppData\Local\Temp\7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe
"C:\Users\Admin\AppData\Local\Temp\7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe
  "C:\Users\Admin\AppData\Local\Temp\7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe
    "C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe
      "C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\syswow64\explorer.exe
        
        "C:\Windows\syswow64\explorer.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe

Filesize
148KB

MD5
900961ac130fd170ee31180434a9f891

SHA1
a792b38ca231589e6b489fccd70d0681cb831b04

SHA256
7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38

SHA512
dd58e9cdf5ac1ca655eba7410cbe4cff3527c6d36fbdb03cdcd7fe658d594e85071c054c7ef75da469f22da3686ac8e74306b31f15e72375aa2f071b4e4d7303

Download Submit
C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe

Filesize
148KB

MD5
900961ac130fd170ee31180434a9f891

SHA1
a792b38ca231589e6b489fccd70d0681cb831b04

SHA256
7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38

SHA512
dd58e9cdf5ac1ca655eba7410cbe4cff3527c6d36fbdb03cdcd7fe658d594e85071c054c7ef75da469f22da3686ac8e74306b31f15e72375aa2f071b4e4d7303

Download Submit
C:\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe

Filesize
148KB

MD5
900961ac130fd170ee31180434a9f891

SHA1
a792b38ca231589e6b489fccd70d0681cb831b04

SHA256
7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38

SHA512
dd58e9cdf5ac1ca655eba7410cbe4cff3527c6d36fbdb03cdcd7fe658d594e85071c054c7ef75da469f22da3686ac8e74306b31f15e72375aa2f071b4e4d7303

Download Submit
\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe

Filesize
148KB

MD5
900961ac130fd170ee31180434a9f891

SHA1
a792b38ca231589e6b489fccd70d0681cb831b04

SHA256
7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38

SHA512
dd58e9cdf5ac1ca655eba7410cbe4cff3527c6d36fbdb03cdcd7fe658d594e85071c054c7ef75da469f22da3686ac8e74306b31f15e72375aa2f071b4e4d7303

Download Submit
\Users\Admin\AppData\Roaming\b0917a1\b0917a1.exe

Filesize
148KB

MD5
900961ac130fd170ee31180434a9f891

SHA1
a792b38ca231589e6b489fccd70d0681cb831b04

SHA256
7dd782bd5f50403978187a36a1c7d2f9645bad97ba875ea3d3c77b8e9bf0ea38

SHA512
dd58e9cdf5ac1ca655eba7410cbe4cff3527c6d36fbdb03cdcd7fe658d594e85071c054c7ef75da469f22da3686ac8e74306b31f15e72375aa2f071b4e4d7303

Download Submit
memory/816-102-0x0000000000080000-0x000000000008D000-memory.dmp

Filesize
52KB

Download
memory/816-101-0x0000000074BF1000-0x0000000074BF3000-memory.dmp

Filesize
8KB

Download
memory/940-65-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-64-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-71-0x0000000001ED0000-0x0000000002051000-memory.dmp

Filesize
1.5MB

Download
memory/940-57-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-75-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-60-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-69-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/940-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/952-95-0x0000000001E70000-0x0000000001FF1000-memory.dmp

Filesize
1.5MB

Download
memory/952-99-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1368-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1368-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1660-93-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download