1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe
Size

572KB
MD5

069ca0bf9211704a0fe48600eef9e1fa
SHA1

3a90b6be935124a2c3fd3ab5379cd97e548461ca
SHA256

1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf
SHA512

9661ee93f8557c83c5dd9cd2af1f4e74ef59b2604246f04af36e3d68f6810e7795351a92268fe0f9ca7c3d9ecf276046275f9305329b8db094f1dcc8910b382b
SSDEEP

3072:5M2kU2g2BBXgQj5FyHTXRYGOoEDOmokHtrYr8AmUN6tuevNyZze1ZitYVjQNo/qS:5C+2BlgQjzygokNrYr8WNbYvy/t2cn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1204	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1292	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1980 wrote to memory of 1988	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	28
PID 1988 wrote to memory of 952	1988	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	29
PID 1988 wrote to memory of 952	1988	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	29
PID 1988 wrote to memory of 952	1988	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	29
PID 1988 wrote to memory of 952	1988	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	29
PID 1980 wrote to memory of 1204	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	31
PID 1980 wrote to memory of 1204	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	31
PID 1980 wrote to memory of 1204	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	31
PID 1980 wrote to memory of 1204	1980	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	31
PID 952 wrote to memory of 1292	952	cmd.exe	33
PID 952 wrote to memory of 1292	952	cmd.exe	33
PID 952 wrote to memory of 1292	952	cmd.exe	33
PID 952 wrote to memory of 1292	952	cmd.exe	33
PID 952 wrote to memory of 644	952	cmd.exe	34
PID 952 wrote to memory of 644	952	cmd.exe	34
PID 952 wrote to memory of 644	952	cmd.exe	34
PID 952 wrote to memory of 644	952	cmd.exe	34
PID 952 wrote to memory of 644	952	cmd.exe	34
PID 952 wrote to memory of 644	952	cmd.exe	34
PID 952 wrote to memory of 644	952	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe
"C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe
  "C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:1292
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
1fefc37e6c436009c2563347883788a5

SHA1
8d6ab3255d56de09801b6ac29d3e47f5f7868559

SHA256
5b23923ceb3cdbb7b7582b5603ab8ab52418c382a082db4160537cd16b83ebc7

SHA512
2c91780e5031b05625b78a2cec26fb616c824566bc3ace2fb07f6a57c7ae4f4c4074fb0f68b55766fc2110c3de4a0b6d2210c9d11047009a399c54db8c407fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
572KB

MD5
d8752f484a0afb66d97b1c826be301c8

SHA1
91e792239536f64a9c307a2906e0ceecd520d47f

SHA256
3fd8ce85253562164e632b7c666ba53785bd3e4662bb61ff140f15784e64fcbf

SHA512
743fdadef6ddcdd6bd0286f5e6eeb424b8c67a73429e110b88aad356f008f8be4af2cb64708cf59d210a7baed2ee47c08685dcbbdc2509109f117a75187239be

Download Submit
memory/1980-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1988-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download