bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff

Analysis

max time kernel
98s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
Size

128KB
MD5

42d0deebf77bee3380e5162f016e2966
SHA1

b5dacb867c87786f22c350f169f731bf40d86cd7
SHA256

bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff
SHA512

dee813ad12e8c4b9a0c5696ffaeb873dc105bfbc6d63bdd1f4a34c7dd1ee88e4750a1acdaf8a829933d36c93ad709645d2802d2096e2d1a73f7976033cf3d98c
SSDEEP

3072:2F//mA/gRFMGbE92X4TpAe78vyV2cnsEhOUSu4rN3:2F/l4RFZbEIX4NAfs2cs9p

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1668	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
1668	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
1668	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27
PID 1000 wrote to memory of 1668	1000	bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe	27

C:\Users\Admin\AppData\Local\Temp\bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
"C:\Users\Admin\AppData\Local\Temp\bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
  C:\Users\Admin\AppData\Local\Temp\bf381a0b703d4d38c963a6ffbdc128f94ef2182d3bc0864d83f70ed9edc5cbff.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1000-63-0x0000000000280000-0x0000000000284000-memory.dmp

Filesize
16KB

Download
memory/1668-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1668-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download