1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe
Size

61KB
MD5

04ceaae394b5c0f19a715ee4d23d7bda
SHA1

3298b8bf64834fd237512edace89d6b2e8acbeec
SHA256

1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa
SHA512

dc33877c99a7e9e97871225a08f4eb7d4011d9b2012657467a50754d04ad9f3aded7717d27c338a95ad34c0cbc15ad43d006d7c61db29ce1c5b918fb7b2d70b3
SSDEEP

1536:KMQKzwcnBIO+k7u7rVWiktMUeAATwJBnKAi2t:5DzwcnP7u7rVWikKUeAAUJ9Ke

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Serverx.exe	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 916	1756	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe	27
PID 1756 wrote to memory of 916	1756	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe	27
PID 1756 wrote to memory of 916	1756	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe	27
PID 1756 wrote to memory of 916	1756	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe	27
PID 1756 wrote to memory of 1396	1756	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe	11
PID 1756 wrote to memory of 1396	1756	1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe
  "C:\Users\Admin\AppData\Local\Temp\1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe
    "C:\Users\Admin\AppData\Local\Temp\1e7acd3951926ecc626a905a7f907be82489370dd6fc23ec5255fc294add65fa.exe"
    3⤵
    PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-59-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/1396-60-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1756-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1756-56-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/1756-58-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/1756-62-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download