4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01

Analysis

max time kernel
112s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe
Size

308KB
MD5

70c9540255f5d4e5fc4d9f862af7ac50
SHA1

d7af361ece4fb9dffe892013654e379de4eebda2
SHA256

4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01
SHA512

02cdf96a333a02c05c5a6c181a337265e2da52701f5210671f9637dd6e5ab93684df3e0401ee74f1fd80d43b3c58dbc07915f8453b63e2de95ff7381fa2497b7
SSDEEP

6144:ERvb8bT8FphQWXL4a9C+5WQMt8/ef1Y6TLmrgN:IzJp64LbC+5HMa/NrgN

Score

7^/10

evasion trojan

Malware Config

Signatures

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Microsoft Antimalware\SpyNet	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Microsoft Antimalware\SpyNet\SpyNetReporting = "0"	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83
PID 1968 wrote to memory of 392	1968	4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe	83

C:\Users\Admin\AppData\Local\Temp\4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe
"C:\Users\Admin\AppData\Local\Temp\4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe
  "C:\Users\Admin\AppData\Local\Temp\4f6b6c26d1652ec023cba670fdb01a02e0c0352c00c31ce34641731ae88fdb01.exe"
  2⤵
  PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-138-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/392-140-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download