c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e

Analysis

max time kernel
45s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
Size

104KB
MD5

5bf6f3ec6c21e2ab6e67134f38275e4e
SHA1

c16b7849726061df7367124d5a264b86c43d996c
SHA256

c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e
SHA512

3c024722779ebbb35a8942ead69b9ede9e0b7f4d7649143710dbf65ddec96320b343e9879d5a6ca57c3e308972c5e86aa8f3690a8ddecee88f1ba8548384fb6c
SSDEEP

1536:uTkEe8rn91K+XOdkq/2kWKs0zuhos3P/UZfyeDbXck7wuw2t6rLWNp:uTkEeu1Kbky2Ph0zEos3UBygkZ2k

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

description	pid	process	target process
PID 1744 set thread context of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

pid process

1744 c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

pid	process
1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

description	pid	process	target process
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
PID 1744 wrote to memory of 468	1744	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe	c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe

C:\Users\Admin\AppData\Local\Temp\c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
"C:\Users\Admin\AppData\Local\Temp\c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe
"C:\Users\Admin\AppData\Local\Temp\c7282cf4279be403dd5e7ba6a63d2e3cb59d33686885384de3b5635b0a4c492e.exe"
2⤵
PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-56-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/468-57-0x000000000100739D-mapping.dmp

Download
memory/468-60-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/468-59-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/468-61-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download