33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0

Analysis

max time kernel
340s
max time network
395s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe
Size

114KB
MD5

8df6caab6e0f5abb4a06130b6d5b0bb7
SHA1

7a75210f52e6ea0b4d2e41ba7ad2ee997588697c
SHA256

33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0
SHA512

7a37fae892ca51fd360c8c70fa986f2773539ac838041f3d70d3781779f3f492963ddc45263f16ac45425a6faaf4b00b683286c877d1c391ff1b13e3605ad35a
SSDEEP

1536:Rc0loGP2sdCFXekr5m3EUEvP4BM8SzywLIFHf6n/DHkYjxRyp+xGKspaJ6Y:RTB+PLr83eqhSzywLb/bkYjy+xwY

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\laafuleh = "\"C:\\Users\\Admin\\AppData\\Local\\rdnksxoe.exe\""	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe

pid	process
860	33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe
860	33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe

description	pid	process	target process
PID 860 wrote to memory of 4788	860	33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe	svchost.exe
PID 860 wrote to memory of 4788	860	33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe	svchost.exe
PID 860 wrote to memory of 4788	860	33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe
"C:\Users\Admin\AppData\Local\Temp\33739f466b2cba28ecd74fc120810ad17a0d4a265aea048c1313d56ecdc823c0.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Adds Run key to start application
PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-132-0x0000000000680000-0x0000000000694000-memory.dmp

Filesize
80KB

Download
memory/4788-134-0x0000000000000000-mapping.dmp

Download
memory/4788-135-0x0000000000130000-0x000000000013E000-memory.dmp

Filesize
56KB

Download
memory/4788-136-0x0000000000F00000-0x0000000000F11000-memory.dmp

Filesize
68KB

Download
memory/4788-137-0x0000000001500000-0x0000000001580000-memory.dmp

Filesize
512KB

Download