088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
Size

136KB
MD5

36b02e8de0cff86d20cd3c14ac746e2a
SHA1

05ce5a5ed0f92018137fd299f65f0eaeb2b2aea2
SHA256

088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27
SHA512

39fb2a3dba22da579907fd4d317d33391dcd9ec87d43037d70724932176c7e7efe3fbd1a263ede5d1cfb635a58f9ed49b94b979ba0119f9d48dd4d95ed2db2bd
SSDEEP

1536:ym8eofnq/Lp699AqktCP4pzNwk1amk7fIosw7hJj+3MDdrZS28Sa6PfPuFQIhYaq:yCUqTCXIhY1Zb

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peobrdiw = "\"C:\\Users\\Admin\\AppData\\Local\\ogmegtlq.exe\""	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe

description	pid	process	target process
PID 1696 set thread context of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe

pid	process
5024	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
5024	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe

description	pid	process	target process
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 1696 wrote to memory of 5024	1696	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
PID 5024 wrote to memory of 4532	5024	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	svchost.exe
PID 5024 wrote to memory of 4532	5024	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	svchost.exe
PID 5024 wrote to memory of 4532	5024	088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
"C:\Users\Admin\AppData\Local\Temp\088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe
"C:\Users\Admin\AppData\Local\Temp\088e8c0b5f0a05e11c8406e0ea0b34cf3dd850acec5f40a4824538c01df5fd27.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Adds Run key to start application
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4532-136-0x0000000000000000-mapping.dmp

Download
memory/4532-137-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/4532-138-0x00000000010C0000-0x00000000010D1000-memory.dmp

Filesize
68KB

Download
memory/4532-139-0x0000000001640000-0x00000000016C0000-memory.dmp

Filesize
512KB

Download
memory/4532-140-0x0000000001640000-0x00000000016C0000-memory.dmp

Filesize
512KB

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download
memory/5024-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5024-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download