2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
Size

379KB
MD5

e0c3c103be7ed0a2781c82d379dc0780
SHA1

318ca5646da574f9115ac579c35f54382bc740ad
SHA256

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9
SHA512

08f8476e4572d8326cf34459b6a5ec8ca2c0b4d91eb1f77ddc5de897b59dd1fae683e2ba621d8375ee0ab1f3337b4ed0cfad3e0ae70dcfa2b1c9f77ef9512d60
SSDEEP

6144:23nuEiAWEIyTBkRalU35uSHG33A1lFx2CTN9k+g:gTNODHG33ATJbg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

alter.exe

pid process

3284 alter.exe

pid	process
3284	alter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

alter.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\alter.exe"	alter.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	alter.exe

Drops file in System32 directory 2 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\whr458da.db
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\whr458da.db

Drops file in Windows directory 2 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exealter.exe

description	ioc	process
File opened for modification	C:\Windows\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.INI	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
File opened for modification	C:\Windows\alter.INI	alter.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

alter.exe

pid process

3284 alter.exe
3284 alter.exe
3284 alter.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

alter.exe

pid process

3284 alter.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

alter.exe

description pid process

Token: SeDebugPrivilege 3284 alter.exe
Token: SeDebugPrivilege 776

pid	process
3284	alter.exe
3284	alter.exe
3284	alter.exe

pid	process
3284	alter.exe

description	pid	process
Token: SeDebugPrivilege	3284	alter.exe
Token: SeDebugPrivilege	776

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exealter.exe

pid	process
3704	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
3704	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
3284	alter.exe
3284	alter.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe

description	pid	process	target process
PID 3704 wrote to memory of 3284	3704	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe
PID 3704 wrote to memory of 3284	3704	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe
PID 3704 wrote to memory of 3284	3704	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe
PID 776 wrote to memory of 5080	776		mousocoreworker.exe
PID 776 wrote to memory of 5080	776		mousocoreworker.exe

C:\Users\Admin\AppData\Local\Temp\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
"C:\Users\Admin\AppData\Local\Temp\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\alter.exe
  C:\Users\Admin\AppData\Local\Temp\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3284

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\alter.exe

Filesize
379KB

MD5
e0c3c103be7ed0a2781c82d379dc0780

SHA1
318ca5646da574f9115ac579c35f54382bc740ad

SHA256
2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9

SHA512
08f8476e4572d8326cf34459b6a5ec8ca2c0b4d91eb1f77ddc5de897b59dd1fae683e2ba621d8375ee0ab1f3337b4ed0cfad3e0ae70dcfa2b1c9f77ef9512d60

Download Submit
C:\Users\Admin\AppData\Local\alter.exe

Filesize
379KB

MD5
e0c3c103be7ed0a2781c82d379dc0780

SHA1
318ca5646da574f9115ac579c35f54382bc740ad

SHA256
2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9

SHA512
08f8476e4572d8326cf34459b6a5ec8ca2c0b4d91eb1f77ddc5de897b59dd1fae683e2ba621d8375ee0ab1f3337b4ed0cfad3e0ae70dcfa2b1c9f77ef9512d60

Download Submit
memory/776-141-0x000001612BA00000-0x000001612BA2D000-memory.dmp

Filesize
180KB

Download
memory/776-142-0x000001612BA30000-0x000001612BA63000-memory.dmp

Filesize
204KB

Download
memory/3284-134-0x0000000000000000-mapping.dmp

Download
memory/3284-140-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3284-143-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3704-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3704-137-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5080-144-0x0000000000000000-mapping.dmp

Download