e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe
Size

1.5MB
MD5

04f2c2c070f61665b4980bc50f4794ad
SHA1

3af02a1910053b3a54f7b466712ed9e396bb4051
SHA256

e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b
SHA512

36e9ebe9aecdfb6ecc412e5c5a669318a08ca55c5e1123024d2f6c7cc6ea9e3b6d859ba279c2375381f2946070dfee21035ae165ae0d919a38afc7ffc8771720
SSDEEP

6144:DfAb7nC0WEG05iTh07wHpvel7/70G9R1bAbbTiTL07wHpvel7/70G9R1bAbbTiTB:U95DF+brF+bx95

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
572	stats.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemAutorun.exe	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\StatsSoft = "C:\\Users\\Admin\\AppData\\Roaming\\system app\\stats.exe"	stats.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1144	dw20.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 572	1348	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe	28
PID 1348 wrote to memory of 572	1348	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe	28
PID 1348 wrote to memory of 572	1348	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe	28
PID 1348 wrote to memory of 1144	1348	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe	29
PID 1348 wrote to memory of 1144	1348	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe	29
PID 1348 wrote to memory of 1144	1348	e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe	29

C:\Users\Admin\AppData\Local\Temp\e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe
"C:\Users\Admin\AppData\Local\Temp\e4cd15b149e8adff44add26af316af8175bb9fdcae26a6f473d4df16b99cf51b.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Roaming\system app\stats.exe
  "C:\Users\Admin\AppData\Roaming\system app\stats.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 964
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system app\stats.exe

Filesize
11KB

MD5
0fabfa921a024c40d2fab38df3125d60

SHA1
5a1fb9322566a655794f2a920be76fda9a6c32cc

SHA256
c67ba1832f36ebfd0cbd431e439bcfd3f3751aa3ddde8355822107a04b7fc264

SHA512
73a67ac4e95091fb348ff14d8e1c9b1b229b383477badefa4ecbcce839ddc5e4c96a198ad5ce158b997675a9dd9928d7e63e9b3a0dd231974ba08314f27c9a10

Download Submit
C:\Users\Admin\AppData\Roaming\system app\stats.exe

Filesize
11KB

MD5
0fabfa921a024c40d2fab38df3125d60

SHA1
5a1fb9322566a655794f2a920be76fda9a6c32cc

SHA256
c67ba1832f36ebfd0cbd431e439bcfd3f3751aa3ddde8355822107a04b7fc264

SHA512
73a67ac4e95091fb348ff14d8e1c9b1b229b383477badefa4ecbcce839ddc5e4c96a198ad5ce158b997675a9dd9928d7e63e9b3a0dd231974ba08314f27c9a10

Download Submit
memory/572-60-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/572-61-0x000007FEEE6C0000-0x000007FEEF756000-memory.dmp

Filesize
16.6MB

Download
memory/1144-63-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/1348-54-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/1348-55-0x000007FEEE6C0000-0x000007FEEF756000-memory.dmp

Filesize
16.6MB

Download
memory/1348-56-0x0000000002036000-0x0000000002055000-memory.dmp

Filesize
124KB

Download
memory/1348-64-0x0000000002036000-0x0000000002055000-memory.dmp

Filesize
124KB

Download