9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b

Analysis

max time kernel
19s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe
Size

288KB
MD5

02c89c4d80b8ee58b035802556507665
SHA1

8a19e939de0f6f8284bf4888550c49adbeaffe00
SHA256

9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b
SHA512

a93ccf05f72e9a4fbd110ae37dc61e940db42dae22ece631c1d7eb3f8f6f762e756b10e322c1177bdaf0eb33358d0051019a57379f4ede885232f14f3b3671e9
SSDEEP

3072:Vmks8Q1pYbemh0S9tM9o/iHrNoTxCU5nPmMo6nac6InB3joJpv5Tj:AksP1KbemmS7M9oeoTH5mQ6YBUJpx

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1412	reg.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1536	952	9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe	28
PID 952 wrote to memory of 1536	952	9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe	28
PID 952 wrote to memory of 1536	952	9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe	28
PID 952 wrote to memory of 1536	952	9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe	28
PID 1536 wrote to memory of 1412	1536	cmd.exe	30
PID 1536 wrote to memory of 1412	1536	cmd.exe	30
PID 1536 wrote to memory of 1412	1536	cmd.exe	30
PID 1536 wrote to memory of 1412	1536	cmd.exe	30
PID 1536 wrote to memory of 1488	1536	cmd.exe	31
PID 1536 wrote to memory of 1488	1536	cmd.exe	31
PID 1536 wrote to memory of 1488	1536	cmd.exe	31
PID 1536 wrote to memory of 1488	1536	cmd.exe	31
PID 1536 wrote to memory of 1488	1536	cmd.exe	31
PID 1536 wrote to memory of 1488	1536	cmd.exe	31
PID 1536 wrote to memory of 1488	1536	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe
"C:\Users\Admin\AppData\Local\Temp\9546ab2b8e868846648cd24a2ce34422f31ee133d503e40af301a0a1e01ba42b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
    3⤵
    - Modifies registry key
    PID:1412
- - C:\Windows\SysWOW64\gpupdate.exe
    gpupdate /force
    3⤵
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
memory/952-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download