5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2

Analysis

max time kernel
161s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2.exe
Size

15KB
MD5

05a463e9588219415e3109e0e90aec73
SHA1

859be30d12a9a5b556c9075e9e5b9d847ef912bd
SHA256

5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2
SHA512

2f447cd3c3b025604c9c1878a1200dce0e86e189560013ce507a039660f8fb7c09241a0f23d7d12f183de7c1c3e8fc6c0d8e53fd98598dc989176982e5e4dfe8
SSDEEP

384:V7dIn8BqVX2hhtK4d1ij5bzR2LrLdSpo+8dmlaX:V7Sz9WhcrbzR2L1Uo+84+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4396	winpckg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	winpckg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Package Image Path = "C:\\Users\\Admin\\AppData\\Roaming\\Packages\\winpckg.exe"	winpckg.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 4396	320	5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2.exe	81
PID 320 wrote to memory of 4396	320	5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2.exe	81
PID 320 wrote to memory of 4396	320	5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2.exe	81

C:\Users\Admin\AppData\Local\Temp\5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2.exe
"C:\Users\Admin\AppData\Local\Temp\5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe
  "C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe

Filesize
15KB

MD5
05a463e9588219415e3109e0e90aec73

SHA1
859be30d12a9a5b556c9075e9e5b9d847ef912bd

SHA256
5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2

SHA512
2f447cd3c3b025604c9c1878a1200dce0e86e189560013ce507a039660f8fb7c09241a0f23d7d12f183de7c1c3e8fc6c0d8e53fd98598dc989176982e5e4dfe8

Download Submit
C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe

Filesize
15KB

MD5
05a463e9588219415e3109e0e90aec73

SHA1
859be30d12a9a5b556c9075e9e5b9d847ef912bd

SHA256
5d3fd0bdfd796bb3866d158c1a38a574309aaa13c9d7088074b8ecd5c4ee1ea2

SHA512
2f447cd3c3b025604c9c1878a1200dce0e86e189560013ce507a039660f8fb7c09241a0f23d7d12f183de7c1c3e8fc6c0d8e53fd98598dc989176982e5e4dfe8

Download Submit