814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa

Analysis

max time kernel
118s
max time network
109s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe
Size

124KB
MD5

006154ef212096ad03b12685136c4c50
SHA1

1b0bcc26c9868c8679402cbc87b5d26d90e7ce32
SHA256

814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa
SHA512

5ee6529c7878b84940a87f3a021f9dc275ec1369d923842fbbd4137c4b69fd18e9644a8b875add22d6c6def5107b540ebc82f14d35458174b5c05a13798d41f4
SSDEEP

1536:mvy50tV44aqwoa9ujdbNyVXa1lgNdaOCt1kTW4:mtWZqwoa9Xa1Idart194

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\59229 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccaieoum.com"	msiexec.exe

Blocklisted process makes network request 11 IoCs

flow	pid	Process
2	1896	msiexec.exe
6	1896	msiexec.exe
7	1896	msiexec.exe
8	1896	msiexec.exe
10	1896	msiexec.exe
11	1896	msiexec.exe
12	1896	msiexec.exe
13	1896	msiexec.exe
14	1896	msiexec.exe
15	1896	msiexec.exe
16	1896	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 364 set thread context of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccaieoum.com	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe
892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 364 wrote to memory of 892	364	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	28
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27
PID 892 wrote to memory of 1896	892	814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe	27

C:\Users\Admin\AppData\Local\Temp\814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe
"C:\Users\Admin\AppData\Local\Temp\814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe
  "C:\Users\Admin\AppData\Local\Temp\814e040dcbab569dc28c6ddba6844eeab9926b97c8dc9fa288b4a568557fdeaa.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:892

C:\Windows\syswow64\msiexec.exe
C:\Windows\syswow64\msiexec.exe
1⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/892-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/892-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/892-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/892-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1896-63-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1896-65-0x0000000000140000-0x0000000000145000-memory.dmp

Filesize
20KB

Download
memory/1896-64-0x0000000000CA0000-0x0000000000CB4000-memory.dmp

Filesize
80KB

Download
memory/1896-66-0x0000000000140000-0x0000000000145000-memory.dmp

Filesize
20KB

Download