0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d

Analysis

max time kernel
3s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe
Size

106KB
MD5

04490e8092b1f83965593bfd777e4c20
SHA1

90242fdf484092c9c117845a1e0b06c53a194444
SHA256

0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d
SHA512

f2476253a8d6a637162da2971fe7b643ce12e5e10283d8092fb04fc6e7e75f0d53c2b77f3690f17867da657993c8e298ac6edeff61e600e6d5faac538c26f201
SSDEEP

3072:Q1lJg4ojJvNBOUXIMNlRFIiqh3z7UQmU3:Q1T6pOUXIMNlsilU

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 904	1964	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe	28
PID 1964 wrote to memory of 904	1964	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe	28
PID 1964 wrote to memory of 904	1964	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe	28
PID 1964 wrote to memory of 904	1964	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe	28
PID 1964 wrote to memory of 1208	1964	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe	13
PID 1964 wrote to memory of 1208	1964	0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe
  "C:\Users\Admin\AppData\Local\Temp\0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe
    "C:\Users\Admin\AppData\Local\Temp\0292730e95aac9afbd2bcbf73483508c3aacd5fa1452b8dd8ff3fc43f449432d.exe"
    3⤵
    PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-55-0x000000002FAD0000-0x000000002FAED000-memory.dmp

Filesize
116KB

Download
memory/1208-56-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1964-58-0x000000002FAD0000-0x000000002FAED000-memory.dmp

Filesize
116KB

Download
memory/1964-59-0x00000000000F0000-0x000000000010D000-memory.dmp

Filesize
116KB

Download