df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe
Size

32KB
MD5

0ada35386eef4413855207c0ef2c7ea8
SHA1

94c0596b7939c9f514047c50a6929823accde40e
SHA256

df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e
SHA512

0e615360ead799d3b44c1b9a6e3e72e2822755c99c9ef47c29b425810c50aa75a18f4027cb821f04a09fc0180b8d17147e4595763ce2cc0a45eef612192bcbe9
SSDEEP

768:xB9BzSkfQboqGp5UW7lyGwy26gFstX9nIONEiiV:xBeMTqGaFs0

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe
4924	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe
4924	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82
PID 4848 wrote to memory of 4924	4848	df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe	82

C:\Users\Admin\AppData\Local\Temp\df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe
"C:\Users\Admin\AppData\Local\Temp\df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\df82af13cbd66d7390333ae7835f7f8e505b4266855e35ec5c536dae1c9a5c2e.exe
  a|
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4924-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4924-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4924-141-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download