1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf

Analysis

max time kernel
154s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe
Size

572KB
MD5

069ca0bf9211704a0fe48600eef9e1fa
SHA1

3a90b6be935124a2c3fd3ab5379cd97e548461ca
SHA256

1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf
SHA512

9661ee93f8557c83c5dd9cd2af1f4e74ef59b2604246f04af36e3d68f6810e7795351a92268fe0f9ca7c3d9ecf276046275f9305329b8db094f1dcc8910b382b
SSDEEP

3072:5M2kU2g2BBXgQj5FyHTXRYGOoEDOmokHtrYr8AmUN6tuevNyZze1ZitYVjQNo/qS:5C+2BlgQjzygokNrYr8WNbYvy/t2cn

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
312	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 1212 wrote to memory of 924	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	80
PID 924 wrote to memory of 1188	924	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	81
PID 924 wrote to memory of 1188	924	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	81
PID 924 wrote to memory of 1188	924	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	81
PID 1212 wrote to memory of 1684	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	83
PID 1212 wrote to memory of 1684	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	83
PID 1212 wrote to memory of 1684	1212	1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe	83
PID 1188 wrote to memory of 312	1188	cmd.exe	85
PID 1188 wrote to memory of 312	1188	cmd.exe	85
PID 1188 wrote to memory of 312	1188	cmd.exe	85
PID 1188 wrote to memory of 4872	1188	cmd.exe	86
PID 1188 wrote to memory of 4872	1188	cmd.exe	86
PID 1188 wrote to memory of 4872	1188	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe
"C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe
  "C:\Users\Admin\AppData\Local\Temp\1a9ee3d2a9d759ee5090bf16aa4f1476c9038b7d8ed0591fc0fd6e6c7da404bf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:312
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
1fefc37e6c436009c2563347883788a5

SHA1
8d6ab3255d56de09801b6ac29d3e47f5f7868559

SHA256
5b23923ceb3cdbb7b7582b5603ab8ab52418c382a082db4160537cd16b83ebc7

SHA512
2c91780e5031b05625b78a2cec26fb616c824566bc3ace2fb07f6a57c7ae4f4c4074fb0f68b55766fc2110c3de4a0b6d2210c9d11047009a399c54db8c407fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
572KB

MD5
10e5ef1f4051545ef5503686d9a8bf39

SHA1
4068a6e395bcea663f59ebd69e085faa0f5f96cc

SHA256
088dd64b9c2a9e68cd9ad51131b84f5614d431d8d2a4c1ed902f8e698d3b8dde

SHA512
0abe5b6032f86a8596f1f875f34a9962fb6c6090e06d8c7a6964284f063ad1fdaab4ec3778e76e4be6be4de77d09374dcf235c054c49363afbd2e4d70e57b1b0

Download Submit
memory/924-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download