d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74

Analysis

max time kernel
188s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74.exe
Size

184KB
MD5

009f6b12e50dbb4e21a6e033f4dfe81d
SHA1

cf1c2417572a157b3f031fb9efa0ea0466811656
SHA256

d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74
SHA512

550acc8c926f2d74fb19b3d451b209537a11a9a990cabfa5c756efbf1a89cbd3b38090f645a15565ec7719f7b0d17652a21b972a92a2f84d0b0c6c63f2c60ec8
SSDEEP

3072:53vaVHxhPJWjK7FlawziTXfI5I8bjms7zMUxBGz4Y+BC3K5eqf:5yV04FlawziL4I8bas7zVxclK7f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4704	rknjfv.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rknjfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\ubnst	rknjfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ubnst	rknjfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	rknjfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rknjfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	rknjfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ubnst\\command	rknjfv.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4840	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1412	3908	d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74.exe	76
PID 3908 wrote to memory of 1412	3908	d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74.exe	76
PID 3908 wrote to memory of 1412	3908	d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74.exe	76
PID 1412 wrote to memory of 4704	1412	cmd.exe	79
PID 1412 wrote to memory of 4704	1412	cmd.exe	79
PID 1412 wrote to memory of 4704	1412	cmd.exe	79
PID 1412 wrote to memory of 4840	1412	cmd.exe	80
PID 1412 wrote to memory of 4840	1412	cmd.exe	80
PID 1412 wrote to memory of 4840	1412	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74.exe
"C:\Users\Admin\AppData\Local\Temp\d52834dd0f228fceea40d9cd9964cc69805170fa55a18be64bb7dc5fe0873c74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xvswtzw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\rknjfv.exe
    "C:\Users\Admin\AppData\Local\Temp\rknjfv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4704
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hxxqzr.bat

Filesize
188B

MD5
70287ca6c9340e4e50eabd7cb08be272

SHA1
8136627a0a34601001454b3ebe92e66fa9ff9fa3

SHA256
e446690a488886adcaafdad4233b4f4b17c9ad47bbdc76446d70ce2bdf65c47a

SHA512
80aed01f06ea800f69cdea15d0b657115623d9ca5cda0ea416ec6e7aaa463ebcb14817fc4c3d0b99b8ee3366c5748df41c80bd37330d90369161248bd6f054c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rknjfv.exe

Filesize
136KB

MD5
f14146f7df7734bf600c97ccbfe75b07

SHA1
f3a64d7861d52e41c899d6cc361b3d09b0cb52c5

SHA256
19ea89fa9b11bedf1ebb131673ef13edcc5a739faf822833845175402e6d626c

SHA512
d82daa4a9e1c81a50b03b80f02b6e6ee667d888b40c43cbd8e4a50aa55135a02c4b9a5a309c774ff5ab7d26ed69e84c7d59c5f2308eeafc989729e57de07604b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rknjfv.exe

Filesize
136KB

MD5
f14146f7df7734bf600c97ccbfe75b07

SHA1
f3a64d7861d52e41c899d6cc361b3d09b0cb52c5

SHA256
19ea89fa9b11bedf1ebb131673ef13edcc5a739faf822833845175402e6d626c

SHA512
d82daa4a9e1c81a50b03b80f02b6e6ee667d888b40c43cbd8e4a50aa55135a02c4b9a5a309c774ff5ab7d26ed69e84c7d59c5f2308eeafc989729e57de07604b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvswtzw.bat

Filesize
124B

MD5
dd22f8d3c69fdf5a731a176eb0cbf8b0

SHA1
077482e45540e408cccb5288d8da93bed9c20ef1

SHA256
0dc9f054be1c22326a1fffa44919b41704010ba397c6d74318d609a0ee347d46

SHA512
de97d06e9699a2c85116a967b487516f44a1fd92786441e5fe0130fed92b0476481312705f2d159dcb44c8cb0030678b15daad6f8b28428b5ac961bb34796583

Download Submit