4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20

Analysis

max time kernel
143s
max time network
187s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe
Size

114KB
MD5

09224b825f56cbeddc1f885f4e322a40
SHA1

2ba82c2fee8722cac65978aca2712245b192500e
SHA256

4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20
SHA512

b68589afe4a557d09aea74dbd6a3d6796ab5e1961b8f10d43375e4340cc96f2e08438785d38891ba39becd48f2196ce5c8b3cb343b1083704fa3f017c952940e
SSDEEP

3072:B+3rnRRy6Z296cjNZGIwpYYdftMdzsFGY9fY:orRRyD5E8YZOCQYO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tsompomh = "\"C:\\Users\\Admin\\AppData\\Local\\bfjducdk.exe\""	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe

pid	process
956	4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe
956	4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe

description	pid	process	target process
PID 956 wrote to memory of 892	956	4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe	svchost.exe
PID 956 wrote to memory of 892	956	4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe	svchost.exe
PID 956 wrote to memory of 892	956	4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe	svchost.exe
PID 956 wrote to memory of 892	956	4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe
"C:\Users\Admin\AppData\Local\Temp\4a32a8db10f45e2dff4550311ff4d09da7e5a638b9ce6f27d29d6fe204e51d20.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Adds Run key to start application
  PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/892-58-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/892-59-0x00000000000C0000-0x00000000000D1000-memory.dmp

Filesize
68KB

Download
memory/892-60-0x00000000001A0000-0x0000000000220000-memory.dmp

Filesize
512KB

Download
memory/892-61-0x00000000001A0000-0x0000000000220000-memory.dmp

Filesize
512KB

Download
memory/956-54-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download