ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d

Analysis

max time kernel
171s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 06:51

Target

ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe
Size

2.5MB
MD5

28e3f37100979d7b6f3570e859c589c0
SHA1

032492445d4ed3fe02c61f22f60c72883bdab5f1
SHA256

ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d
SHA512

831bd2e73607d5379a4ffef5c5a68b9e0c35e22cf68979ca146a9b0bfbcc4497276e0c4a05147d5278326d1af6fb946c95e0f259748289c5fe475659fe460f41
SSDEEP

49152:i9qIaIQB8h6v7sFfsE/nqoATFlOaeAFAMJMKpu68G4spIhBkbMEW:sqZBOwvknqfTFluAFtpu6QsehB6M

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

pid process

3224 ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

pid	process
3224	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

Processes:

ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\K7 Computing\K7TotalSecurity	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Sophos\Sophos Anti-Virus	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\KasperskyLab	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe

description	pid	process	target process
PID 3348 wrote to memory of 3224	3348	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp
PID 3348 wrote to memory of 3224	3348	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp
PID 3348 wrote to memory of 3224	3348	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe	ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

C:\Users\Admin\AppData\Local\Temp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe
"C:\Users\Admin\AppData\Local\Temp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\is-Q31B9.tmp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q31B9.tmp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp" /SL5="$8004A,2314620,56832,C:\Users\Admin\AppData\Local\Temp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.exe"
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  PID:3224

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Security Software Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\is-Q31B9.tmp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

Filesize
693KB

MD5
5fce05097d5700989ffc2af6e322cf09

SHA1
814ad12dc87d52bba4cb547a03e2679f60fa400a

SHA256
20b21070a6f03022b233994e67f451929bdbf259fce6a6c9501557b369bc093e

SHA512
31d66f10d76b4ffc95511bcca1e21392fb7b67b9184236f0818a5ff8f4e3dd337de358c2b2c76a5f6bf4b4a2c186d91e4762a598f90eee48cd8f40a55bdc7e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q31B9.tmp\ed3111c0a18df6f1a0f259551041d35e17d4b53b560f907676cb00748677ed5d.tmp

Filesize
693KB

MD5
5fce05097d5700989ffc2af6e322cf09

SHA1
814ad12dc87d52bba4cb547a03e2679f60fa400a

SHA256
20b21070a6f03022b233994e67f451929bdbf259fce6a6c9501557b369bc093e

SHA512
31d66f10d76b4ffc95511bcca1e21392fb7b67b9184236f0818a5ff8f4e3dd337de358c2b2c76a5f6bf4b4a2c186d91e4762a598f90eee48cd8f40a55bdc7e2f

Download Submit
memory/3224-134-0x0000000000000000-mapping.dmp

Download
memory/3348-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3348-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3348-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download