dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d

Analysis

max time kernel
159s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe
Size

201KB
MD5

41b29307df1e84747ad2721e6d982185
SHA1

af44ea7f56af393028b47c1c9bc4093e6573ecfb
SHA256

dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d
SHA512

de87b5ad4790b70f21d9d9e67ea20fb27e11d1875b922c3be6b018c712a739dc463e0cd367160e325b7112284e0d5799e164a52ccf40d6e3ce612632505b19d3
SSDEEP

384:H1qGPVEsAUfRbJ7hVu05IULbLEEfk1DDBCofa5SVakiqPl:V9PuCJ7hVZbLBkTI5x0

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\drivers\\svchost.exe"	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

Drops file in Windows directory 1 IoCs

Processes:

dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

description ioc process

File opened for modification C:\WINDOWS\sound.wav dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

description	ioc	process
File opened for modification	C:\WINDOWS\sound.wav	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

pid	process
3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe
3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe
3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe
3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe

description	pid	process	target process
PID 3392 wrote to memory of 4744	3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe	cmd.exe
PID 3392 wrote to memory of 4744	3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe	cmd.exe
PID 3392 wrote to memory of 4744	3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe	cmd.exe
PID 3392 wrote to memory of 4692	3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe	cmd.exe
PID 3392 wrote to memory of 4692	3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe	cmd.exe
PID 3392 wrote to memory of 4692	3392	dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe
"C:\Users\Admin\AppData\Local\Temp\dc09de2d4dfa83cdcff6405304d906654d382b3c6a0adcb485e530ba593b7b0d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\WINDOWS\sound.wav
2⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy uniqradar.exe c:\windows\system32\drivers\svchost.exe
2⤵
PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\sound.wav

Filesize
45B

MD5
c2b3c079101883be41905df3416f53cc

SHA1
f24f86fe91419cd99ca74000643cad0d3a17f7b8

SHA256
95b4ade7bbe706dfd13f67afe8bc846ad75a8da619d1cddc11b9c2b7652d7f6e

SHA512
5585172f49305c4a96880d9a1a13727f058d80397b7d9e92a52ffb79cfb91e31cadc514bf291b83bff4c162a1243165ede8f03b53186d81d940940482b4529ec

Download Submit
memory/4692-134-0x0000000000000000-mapping.dmp

Download
memory/4744-132-0x0000000000000000-mapping.dmp

Download