017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173

Analysis

max time kernel
47s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe
Size

72KB
MD5

0c04c221a47741ba43700ebcdb4fe317
SHA1

51686f7cf75d0b880c5186c3bca1d2b92c6fa718
SHA256

017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173
SHA512

cadaf6021a5670b0b33db3343f83d51148f59e62e5ec36c4b0d339dbdf9d87116700e0d2276aec84de96bf93bbdb85497b6cc8d6f3e9e2d6e5a956cae317fe69
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPpl:ieTce/U/hKYuKPpl

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	backup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4272	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2852	4272	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe	82
PID 4272 wrote to memory of 2852	4272	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe	82
PID 4272 wrote to memory of 2852	4272	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe	82

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe

C:\Users\Admin\AppData\Local\Temp\017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe
"C:\Users\Admin\AppData\Local\Temp\017e8152d06feea4b1aa7eae0df58668ce46591fa401d692eb12202cdbd9f173.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272
- C:\Users\Admin\AppData\Local\Temp\207390201\backup.exe
  C:\Users\Admin\AppData\Local\Temp\207390201\backup.exe C:\Users\Admin\AppData\Local\Temp\207390201\
  2⤵
  - Executes dropped EXE
  PID:2852
- - C:\backup.exe
    \backup.exe \
    3⤵
    PID:2296
- C:\Users\Admin\AppData\Local\Temp\Low\data.exe
  C:\Users\Admin\AppData\Local\Temp\Low\data.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  PID:32
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\207390201\backup.exe

Filesize
40KB

MD5
a3cc86064e355a1e13169457038c9e5e

SHA1
337ba1e90cc5e514339649f0944a37c94c9591e4

SHA256
43b33ce8fa93a696b835956edb4ebd459e93e60cb24b8f45e62c94b8687eb130

SHA512
a3feb76645e0a59a447fd21b34971f949868459026e09ff6006a8a50bf038ff55f29d2e9e99ef401e0ce075b2f8cfad1e4cdbb3aa9953ffe31a9cfb19d1e285c

Download Submit
C:\Users\Admin\AppData\Local\Temp\207390201\backup.exe

Filesize
31KB

MD5
8f0ad897854c1ca0e4356f4a09534870

SHA1
7b307ab06867c83dc79486f6731a9274c30dddb1

SHA256
17b9bf345543cf69af7886edcde5a697a64bc90453ccb9d6d9e785246fbab8b8

SHA512
7eadcf8cba90884175c56ecf933a77d4c50191fc2cf230bb1ae907b825f66f493dc28b5a37c1ffe1ff85d39895afc7cd2f253635597f2c96e5f2f3513d65b434

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
41KB

MD5
2d63d2851de90b6e69f60e07c54dab8f

SHA1
87855b2c763a187bdd1bbff77c06aa3646fead9d

SHA256
1d43b223cdf7e81c4ee525fcc63f5a6d55d83392d8eb57a9e2b5ac7ac0cf5210

SHA512
7230d0c65695384743a1dcc8dde78cbfccc0811cafffb6dad3c14dff611f67395ec84735a11cd7c9c4e9cd25772b05a1def8cd492141c23c711c3415f319a91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
29KB

MD5
48dd782d5e2103df338a989d9ba755e5

SHA1
42dc31841e2d4001f7752e568450e29839acdb6a

SHA256
914521f4f24902cbcc48359c4cad262e46f43e261ed8f31063536172fbaf52cb

SHA512
cf2afc6935cba5054cdfce9e08e7305d2233b5144816d7073447de842b4ac3af2386b5ca51dd48cfd50c294e04cb039eb1e6df569b3f602f2d2af0049906eacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
31KB

MD5
0bd194630cd5e543701c738f5ae4f210

SHA1
b40ad5776e4a762159da85de3f257d547d06654b

SHA256
c74a7b19490e032c2b19745126fac2715051304f62ce880326d8ad684e569e6c

SHA512
89657e5b9944c1e067bb6963a6a8bce685112ec63c465727eff53f92658b5eeb1a216ac20d659f384b830785b21fa7df4743570a6fc1f8a3b53294ab906b3ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
24KB

MD5
640016fd2f5b8fc16d9bd8b1ad9bca07

SHA1
3adb0d0661442bb21e311c6c42930b285ba7a2d7

SHA256
99b34ea6b286f770e9e6d69f597d7491ed9bfadd7a7fd10bb7e0aca7cffad398

SHA512
2494242966b06e3cb806e77efc2afc8f0d6ace897cf8a47eea3d5fac727902fedc4345be81374a55037223e2073cb6772ecb5479c92850ae2694df4b16c96a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
41KB

MD5
b5ad92adda6c9a3f780a139f100ac49f

SHA1
ae4fe5366ccc451a40a896f59745494ceaa28437

SHA256
e16e1bb15642aa3974e9f6203ac5bdc5ab913d2e557625756627b1b634eaed46

SHA512
9e7d5af3b6360593c25ed4ec3f9e29104ad1b57097484dadba0bc39e4c06e6fc485541e2b7fb4cf0119e735ffb70564fa542e9a2f710dfc2d548919c0fe9a3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
17KB

MD5
5eb89e316457d0a7629dc1757852b470

SHA1
748dc4f677967ddef0ce59f63fbb98f734c0d1c4

SHA256
dbc467b8fa05ced3518a11188d4f94491d74eada57b8f72f03ee6b30c3b218c6

SHA512
4383c3a6eacfa1f1e468d02c03c23a73843d38517406ffc275a78ecd8971942af9a683a2a753c0c40c446ba1b47ffc7eb5e32811c770e31795d495e8d08da158

Download Submit
C:\backup.exe

Filesize
35KB

MD5
e83e83b391a90dd3167eaff6c4d844bb

SHA1
d904caf6d62cee968a66f56e9e9aa166ab6c17b2

SHA256
aacb8d8968eb942403824ecd1a1888f09fb4cf7a3b9fed074208b7f5097ab443

SHA512
ed7d1ee85da193e846909ac2cb44800c18a9508a10e0f04b284bab8151777e00a3610fd7d01fb7561bf06f156ebdda5ab8224dd0127d79bff11139c9cbaf11c2

Download Submit
C:\backup.exe

Filesize
35KB

MD5
3ab3c74669807947c57f2944fe1e57e3

SHA1
02efb8fa9c4772d073b8090f272ba0f2ad89653d

SHA256
d4e6f629b9d4df824c05f9def9faa46bbf52b9876c758ad0f946d8feca9a34a2

SHA512
5091b9c40131f0ac386933b1425e7b4e1860947360beff2ddd85bfcb4b66a0e4e3147cd7f73666168e4ccbe16d99e61921414fff61e0534e64d45b31d9e94ac0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads