308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe
Size

48KB
MD5

5d2c54d7434ac9e2cdf317620d406cd0
SHA1

37176b79ab0431b590e95a1a42df65827e407ab3
SHA256

308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433
SHA512

78d51234923efe94a23f3c8c8d50edc34a44b3a7d8d02401f3617bb53f66ab40c430fea0442d270b2f264addc3129f96bec18e4e9c8edf41736f1768f5c788a9
SSDEEP

768:UlTgP2ANyLp5XIFbR0uY25BQkLJlwt7Rr:UlTA1NI3W95B9otlr

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9B06757-E674-AE94-70A8-2086710E0AB8}	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9B06757-E674-AE94-70A8-2086710E0AB8}\stubpath = "%SystemRoot%\\system32\\V3Medic.exe"	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\V3Medic.exe	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe
File opened for modification	C:\Windows\SysWOW64\V3Medic.exe	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 744	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe	85
PID 4016 wrote to memory of 744	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe	85
PID 4016 wrote to memory of 744	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe	85
PID 4016 wrote to memory of 3760	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe	90
PID 4016 wrote to memory of 3760	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe	90
PID 4016 wrote to memory of 3760	4016	308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe	90

C:\Users\Admin\AppData\Local\Temp\308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe
"C:\Users\Admin\AppData\Local\Temp\308dd4cfb744b601a3a8b215e849bf9e64ddcaed4ee3d47868428460fe357433.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{B9B06757-E674-AE94-70A8-2086710E0AB8}" /f
  2⤵
  PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\308DD4~1.EXE > nul
  2⤵
  PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-132-0x0000000000000000-mapping.dmp

Download
memory/3760-133-0x0000000000000000-mapping.dmp

Download