082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04

Analysis

max time kernel
136s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe
Size

164KB
MD5

a30ad77348a53d2126bedb47df7a2de6
SHA1

e432d3460dde11734739cfcb9bc01f51990438b8
SHA256

082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04
SHA512

baabdb39b024bdb5a71ef943b1f361907cb236e94eb84a2249b145fb2733616cb34e4ffd722f61cb3153ae3ac3517644bbe999702fadbca2ff5a78a81da170e6
SSDEEP

1536:gkWbhgW5o1oS4l1TfG8Umu3/IdsGmPIxl8F4L0a8fcqyLz21Qak6afX3kco7b:FW+1oS4l5OeuQdrmwvL8EqF

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\29651 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccsjem.exe"	msiexec.exe

Blocklisted process makes network request 37 IoCs

flow	pid	Process
13	2252	msiexec.exe
14	2252	msiexec.exe
15	2252	msiexec.exe
16	2252	msiexec.exe
17	2252	msiexec.exe
18	2252	msiexec.exe
19	2252	msiexec.exe
22	2252	msiexec.exe
23	2252	msiexec.exe
24	2252	msiexec.exe
25	2252	msiexec.exe
26	2252	msiexec.exe
27	2252	msiexec.exe
51	2252	msiexec.exe
52	2252	msiexec.exe
53	2252	msiexec.exe
54	2252	msiexec.exe
55	2252	msiexec.exe
56	2252	msiexec.exe
57	2252	msiexec.exe
58	2252	msiexec.exe
59	2252	msiexec.exe
60	2252	msiexec.exe
61	2252	msiexec.exe
62	2252	msiexec.exe
64	2252	msiexec.exe
65	2252	msiexec.exe
66	2252	msiexec.exe
67	2252	msiexec.exe
68	2252	msiexec.exe
69	2252	msiexec.exe
70	2252	msiexec.exe
71	2252	msiexec.exe
72	2252	msiexec.exe
73	2252	msiexec.exe
74	2252	msiexec.exe
75	2252	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccsjem.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4976	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe
4976	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86
PID 4836 wrote to memory of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86
PID 4836 wrote to memory of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86
PID 4836 wrote to memory of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86
PID 4836 wrote to memory of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86
PID 4836 wrote to memory of 4976	4836	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	86
PID 4976 wrote to memory of 2252	4976	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	87
PID 4976 wrote to memory of 2252	4976	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	87
PID 4976 wrote to memory of 2252	4976	082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe	87

C:\Users\Admin\AppData\Local\Temp\082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe
"C:\Users\Admin\AppData\Local\Temp\082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe
  "C:\Users\Admin\AppData\Local\Temp\082edd051c8bd06c89ee92ff6447ea0723a31391b1eb1b2c8dcf95f0b33f8e04.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe
    3⤵
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2252-137-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2252-138-0x0000000000BD0000-0x0000000000BD5000-memory.dmp

Filesize
20KB

Download
memory/2252-139-0x0000000000BD0000-0x0000000000BD5000-memory.dmp

Filesize
20KB

Download
memory/4976-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4976-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download