40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
Size

47KB
MD5

79a8858938a5876a514e0322232d1a3f
SHA1

2d27e36670ac613a05ccda091487872790ec4977
SHA256

40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950
SHA512

ed954d3913ac6355118c2020aa8b593f1c8a8da60544ac10841aa012ff270e1e54a7e88b554f68c2fd02ace480dd896f3fe307cf867a7f11d4fc39bcb16d3880
SSDEEP

768:9TuXIEyrhG34FTvvQhRjbacva8H8OFfGGfcGfNGfL/XIELnfDtXIEctXIdtXIAtA:9DEGo3gLQ/PacfuGkGVGUELOEdIZEq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Client = "C:\\Windows\\system32\\wuclient.exe"	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall = "C:\\Windows\\system32\\xpsp2fw.exe"	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xpsp2fw.exe	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
File created	C:\Windows\SysWOW64\wuclient.exe	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
File opened for modification	C:\Windows\SysWOW64\wuclient.exe	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
File created	C:\Windows\SysWOW64\xpsp2fw.exe	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bab4f8a7-569f-4eea-3e28-d5a7c51bab4f}	40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe

C:\Users\Admin\AppData\Local\Temp\40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe
"C:\Users\Admin\AppData\Local\Temp\40ce6ff2b491ddb66aeb454a88f75b3ea8f8ce30ff664842b4a76c8c52945950.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...