6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93

Analysis

max time kernel
63s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe
Size

72KB
MD5

0ce2ccd988f7ab0c2339d0b4e24aef14
SHA1

14d3c1d36843a1e34be036b55f8da6769de0eaa2
SHA256

6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93
SHA512

7d8ba734467728be6654c682e826b7979baa0da2187c2f9e6e9ff5410b4db664efd3a95873245cb16aa18259c6c2b433a8e8712b2bedece8988cd9c150d5adc5
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPp1:ieTce/U/hKYuKPp1

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	backup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4728	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2248	4728	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe	81
PID 4728 wrote to memory of 2248	4728	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe	81
PID 4728 wrote to memory of 2248	4728	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe	81

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe

C:\Users\Admin\AppData\Local\Temp\6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe
"C:\Users\Admin\AppData\Local\Temp\6aef4e1a8d288be48c32d9aca3a4ea21a0d646ef24fd828271d8c148ec38fe93.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4728
- C:\Users\Admin\AppData\Local\Temp\1418618706\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1418618706\backup.exe C:\Users\Admin\AppData\Local\Temp\1418618706\
  2⤵
  - Executes dropped EXE
  PID:2248
- - C:\backup.exe
    \backup.exe \
    3⤵
    PID:3920
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      PID:4012
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      PID:3896
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      PID:3516
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        
        PID:4856
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
22KB

MD5
c86a728bbc76802185ee8b4b209f3f10

SHA1
b62b4dacc921592a90f362bbc0cf46dc5ba9cb91

SHA256
bb6528886ff3909c3dab0fbaa48bb67c500db8c8fb607e5a7e7917bb98b2fae6

SHA512
db1537e2caabc822afe0a7c64c6a625d2a8dffc482051ca3978e68e7ac09e887073acab7f804fe9f0aff0ec504e9276866c37337eeb48c5d62e2291223f7ae27

Download Submit
C:\PerfLogs\backup.exe

Filesize
37KB

MD5
fb6ca192d5b3bae844a314c10ff5e9d7

SHA1
a537a60de2542971529927f456f6f9def32fc844

SHA256
393e3f4a3e47f5dfca987ba6618d1580e3b9482e82c84d72a79f607359a088e5

SHA512
ba40d3916bc13797843b535a2723875e8b7a66e4eb7d32f4995dcc16aea9c1c12ca351a747bb631d343d742685f4b17f9eed291fb035313a472a8e3dd414a81a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
25KB

MD5
335d22dd654d1345e687695b99ed5952

SHA1
997fd404b54e178af1b0ae7ac2fc7b038c0d8b65

SHA256
4d9eaca2bb8f43fb492ebdd9ed4dcc27b30258cdb218c447985b01bfa3a26b99

SHA512
f6fb7bfd1d28516323e1ef41faf24d10c3f4ebc5f0d6a995e03d92d56eaea066597d39e832721c644d3c7be2b7fe46b1db017a94d1d5fce292239ddaa05a458d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
10KB

MD5
55f6c62ef11e94bb20f734387a65fb3d

SHA1
58f5e689f8350cef4b2918aa21b6e40555b196ca

SHA256
b55eba07f2678e67c8a09de88b35b4c297f477f91a7bdcb68311e0ce2c8a1d54

SHA512
83612d681aaede0ed46f51a68bcb535ff3cd1f2a3d5260a843e374d2cdeba48a56a6e847e6049b464561b97aa9b7e0ed0eb62148d229b4c6f19a9c6973c9adba

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
8KB

MD5
62933e95bac692933f8b741bfcfbd743

SHA1
b3dc51ebe3f805702f8108778e1525fe4f7aced1

SHA256
f773b1cb459548b8869f85c1b4419cba75f31f9bc53c68623d3cbd9184ea85cd

SHA512
8939746a4eccc0c9e23907d3ea281e9578efa3730e930ce6ed9300a7c6d000dfb923cdcf01c702d032b9cb5c7978e89bb0ddced84c3abdba7d0b4f8159f04146

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
29KB

MD5
93b57b1c2f05293ee290ce920721b3ad

SHA1
197a1a0e2d978d8c74844461c8f61d151c6396b2

SHA256
21b8cef3e20792dcba78ff8b7070502239b2b589ad73744d0685186b8692ce71

SHA512
3fb19830d83af0e38da58c8e79158679c018081f7d012d86156a8d31960764f322b181574c393b03d77931dbb4599cd6602ac214b2712983b1c7d31f557bea2b

Download Submit
C:\Program Files\backup.exe

Filesize
2KB

MD5
ff300828440b5480d96f68da00603c63

SHA1
c677a8af3e37b730ecb143ffc20d9e319eeac716

SHA256
e7ac0c1849165344db692bff840d9ca62bebf52fec3d5bed75af79cbe554996e

SHA512
3623414d66384c36d880b01f536cb8f02fb78bf0daaacdaa764df9073e76803f19b8f1e825a5279c90a7a4d632ce7a8982b0106ea33e7cb7973ebb8965dd418a

Download Submit
C:\Program Files\backup.exe

Filesize
65KB

MD5
0226a4f05cad2401469ecf414b03499c

SHA1
2c13585e96765d9888281a11c0d6908e0bd7fde0

SHA256
464bbd6c7a8a0335fa3f39cce03922ee84f4230c76a41a1b9493ae758c374661

SHA512
b43181dd98d9b2a7058187ed7b90fcd80e386e0d54d670108f42f15475e66c0750d0b5744eab03c6273a495f544b2dde1e9da453839f4d3fbfe0490d23ab65b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1418618706\backup.exe

Filesize
34KB

MD5
d9dea38193caa640baddc013617a65bd

SHA1
8ba18b9fd8ec83fc24e5990c46cb205ba50041ef

SHA256
32b739cb23142f2341b888271d5f42c0f864448a21531eef1c93b1197746eb98

SHA512
e28b1a7d28e0026b711791ad870a6050149b88ada504a42ed7a84cc1aa7cc70328b9e57ac92d78ac5e16b1c71581c962d2a3f7db46505510022bd362f1ebe399

Download Submit
C:\Users\Admin\AppData\Local\Temp\1418618706\backup.exe

Filesize
29KB

MD5
e3ec4d4349bd7dbd5e9cfd1c015024c0

SHA1
4058d6829db26b5e2f6f92b119495c47f5a8f44b

SHA256
5251079c826229f1627b58476d7f507ad720aeb8c0bc9b257d40e59b51ab1caf

SHA512
2785f541a3ab0989bca3ddbbafa6b19c59faf96b00d570bdf3fca665ba11a974ce23e584f38f20bdc6467b417c1da35c290429ff64aea0627f390bae43592e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
7KB

MD5
01d8a47e1d3e2ccab1545e4410eac2ff

SHA1
0472999d9a0a583a5eeca7005e18c9c4fdd69136

SHA256
998afd62378b9dfefa8f70ee82b68680b80a03c37806a8751389a0fafcd12632

SHA512
8d96e10e25adb6e20eafd8582c57820f1d9d096113bed20dc878f22658d19ae6a9d66f79a9874f69dbf298d52933b1158c1e140bb09ab1e6c3203466abf05cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
58KB

MD5
963583f4f76919832f69b916fc24fbf1

SHA1
e44c979f51c063f12f4de6c1737db5cdfd2e6f27

SHA256
9e01b52185120201c8b179440099e5a6b1fbb41be67c20df6e11fd868fba43cc

SHA512
81c21bbb352990b35cfc125d44864721f5eef40586a17d6de8c302bdd91041ff7ccf5f707c2d81283af6d351f33a48a75168a7b5377d2a3f9d3c43958e902b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
31KB

MD5
fcd1a216d8e05d32d6827761a2fd2bd8

SHA1
6353fef3d88bddf609300cf47ac43b28b63e4ac8

SHA256
9b6e9ee8b8000e60780c75d99ee7b36e51797009c9f9c74f0dc60371cf083a38

SHA512
0696aaecbb228cbbf3e03b5de0b00c1bdbe339e7ed53d746cab9849ebe6dd34a7c1cc1396c40e13b8463d161a1ebf5b0db10a458f18e7c60e59340ca67d84606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
47KB

MD5
930475191fb597f43c8483db061af572

SHA1
50be2cc2159c22e2084cefb42560ca4c5dcc5fdc

SHA256
37d7ca96be6faada013f2fbbf605bcec8e689ab8f821c5888b5e541f7b7aeb42

SHA512
e92140bd85cd6d14c0d257dba1609090b85789202790226d4692912ead4b1f6bf3bd48f3d9783da4c45216b106c01ccb26feb88dd5eb2a83a56e4cf3ab238116

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
46KB

MD5
f188c9c726890cc52679b0f978e1b3c1

SHA1
f5336a7ba96f74b599670d876fd6ccc3d42614ae

SHA256
70dfde76fd6f08880162007c430a7f22196bfa6ba53718e0a59b4c71446d27c8

SHA512
08bf8767ffe07389852176fc267ac9ac0f8e352108aaf73b44509a2fb94cf886867efe3f81a2110d23eeaad8cfaf621d40884507200f166d5997219cad581e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
14KB

MD5
7092bf14713d2cdc486b923bbc456de7

SHA1
aae4e46ab6704064b03607701f3be5724ebf7bf8

SHA256
58f1bbe9dcf85768c8de7dce79512661db75f880081275d3ab04858e7cbdab34

SHA512
9a0b0d13a3ac6b262d6db6772cb2466aaf76e09ce8e9c77f1dc709af261b7270c3b2ff7fa3d1e540398bce1a33c192b43b5f9073d3f6299b22f488860dc62477

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
65KB

MD5
5343695250df9e4c51ff9e19067ef86f

SHA1
4a044a66e71dfd6cba5c2bfee1338049fc6e73b7

SHA256
410c260412edee7e29793a03d530a18b26dcc16c347a6eadfeabad44e19ba108

SHA512
f232ff69f525bcdc6c3322f6879050acb1a0e22449a13d68293e918477774f135b770e1f03cbbfc16a32a6b05988d78b47f44e794032def0e0e8169b5e88685b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
61KB

MD5
71b32ff693e811beb2c6dc3798743e35

SHA1
6e6a50b5b8336d2cdd2ae558aaf1a5f84161c9ac

SHA256
7930b979df6b7a4faabfa91344434f3e453274281770c849478e5e615b7a2b9e

SHA512
0305b2c4a758bf755e95189979c03615cfd34adc1fb68d9b1dbe534b702caea9bba13ba60898ae408f8a2768b0877f3ff1b09e61418ac0e147f0142674f2e551

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
50KB

MD5
99cb72ad20014e82920a92aa9d725aa9

SHA1
9405d74092704d93641c92310bc060f3214a1a14

SHA256
85eeba7a768922dafd46d9c48af36bb3ec116759bf8e8103a0c3c211baabf92c

SHA512
feeec03708f13365db5a506b26d4329ae7f5e2c1c5a630e87542d6486a00865715ea7adfa841e12c38d418d1d919de8c5ecad1b24545aa8e07c09984ea0adb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
63KB

MD5
d3a67947eef05c24b55df96c9ce94fec

SHA1
23541b434c2e74d0c5653a2701e319d80f26ac2b

SHA256
65c14e1b1228ccfbd3c7b262cec1399b823161845be34b486d40cc45d62bafed

SHA512
000ff767e52d8d27dd3b327c15a8a8a19af7b0fc9d8dcddbd71998f19acf0df12b97380713fc26fb60471668849d4435afada9fbcd78fdda4bfe33de197e57b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
50KB

MD5
79d291dc3b2cbf09db6c0117f417d97d

SHA1
eca578dd5ce18115ebc3b13d874de7a30d297719

SHA256
67682fcd1a655bb012b5be32096dac3205579cbdc232bbdc545d0fa5a267ad88

SHA512
6f11f9202559542c6cfbcd7abebaaba373b9bc95fc594196b74c0686b5721fd37500e1a7ccf61ef3b6287298297fb4970fffbe0d5ced69835b707ef48e78b5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
26KB

MD5
688838b7513ee73baa07cfac2bbf82fa

SHA1
7a5296a188fb82149617867cef6e985c95f39fc9

SHA256
ece8aa1866d18939355591e10339c2ba97b094eac34fffd0fd92dc305d3b5b69

SHA512
83000b6c4bbaa4c5dda698455f00726cc920a87a50564c7ac84258268beb9a11df0d1aefe789bd9cf9691c7d6e0d054bf12ee4699f3a15bc4982f1d6fef38c7b

Download Submit
C:\backup.exe

Filesize
25KB

MD5
cb0854137278c598f4c98f4b7f603e25

SHA1
e240ae3a59b2f0a7893d4a9222820899d38b30d2

SHA256
e5b79d7f4b73c7de4cf244fbcde47db79f1e3c483496f575ba637dd0061dd5df

SHA512
4c3b835aba71965541390b4849b2c653e94c395e9b8bbea6ab37e6910fdc143ad20f355ef7ea838b352cebc8693b9a638da3cd703aaecc48c45cb0cd73e3a205

Download Submit
C:\backup.exe

Filesize
13KB

MD5
d552e5bc306ca472a2c792875139ed1e

SHA1
89e52958ade1680b18b5bcba4122099eb5a69a3a

SHA256
475974e9714c4c7865a72878167b3e98c3c6ec1370c0d7d81ebcd81679e465ff

SHA512
76cb8c0bd493241b76e61807220dc5933db9310dedd5c8694c235a7be7b6d4b31f28ff88158b4b8049f5197c2ce160e54ee1ba1750763337bc6295322e801296

Download Submit
C:\odt\backup.exe

Filesize
59KB

MD5
9b933471385244575d05ef6eff7e9e75

SHA1
c3b96d57e125452eaa2efd17bcb37e602db008b6

SHA256
01bd70bf03f5ca7ad2161293b759f1b062ffd753074d2e3a3c0e7686fa1526ac

SHA512
c821820de79995d393ab08ab49e1633d32e5e1bb76bde9fa66a3ff90fbf6371692b9779373d4cdb0ba41bab7d2e8ef2c3c5edeea79bbb68490cd0e20b07a20e6

Download Submit
C:\odt\backup.exe

Filesize
18KB

MD5
6236694a4eeb78a9936b4aea5efd740b

SHA1
e584f7942f85d7f46459467533ac536cc480472a

SHA256
a37d19b251f6190d49c7fb2268818643d2a6dc478f05929a4a417ffd7c046efa

SHA512
e1fd9a453a85af44a0eb64f9b3bca08b85e7135bb1b2fda0940000e59b634d1a7304ea6d312998ff7f5167bf6efc5eccdaac7050358596a0434ec3fda20bfc91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads