dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9

Analysis

max time kernel
46s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe
Size

114KB
MD5

a0267afa52febe74b922ce7907489020
SHA1

fc7d0783c76d00f2a91b2ccc6657cdb11f54b342
SHA256

dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9
SHA512

fb22dee05956bb6ae2fb33e730544e1741a799e87c8eea24352efd5f43d33059addd2324b4b65513558f98becbc693b74d6cd7a56f1d62696e78b172277c3aae
SSDEEP

1536:BMQKzwcnBIw+k7u7rVWiktMUNmR1GKWfgA8i2U8i2Q8i2M8i2y8i2x8i2:6DzwcnV7u7rVWikKUGYKWfgWnfHlS

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Serverx.exe	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1216	1552	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe	26
PID 1552 wrote to memory of 1216	1552	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe	26
PID 1552 wrote to memory of 1216	1552	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe	26
PID 1552 wrote to memory of 1216	1552	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe	26
PID 1552 wrote to memory of 1220	1552	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe	8
PID 1552 wrote to memory of 1220	1552	dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe	8

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe
  "C:\Users\Admin\AppData\Local\Temp\dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe
    "C:\Users\Admin\AppData\Local\Temp\dede3ae7bb25ae9419809bc30913e8ac355dfa6e2e8fe9d7bf9ea962f9cb53f9.exe"
    3⤵
    PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-57-0x0000000001000000-0x000000000101F000-memory.dmp

Filesize
124KB

Download
memory/1220-58-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-60-0x0000000001000000-0x000000000101F000-memory.dmp

Filesize
124KB

Download