60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f

Analysis

max time kernel
16s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:55

Target

60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe
Size

372KB
MD5

4fd675b3bd7be17bfa70dee68281f429
SHA1

1c5f4d6f65f15d9e5ea2e42fababb73bd2a59aee
SHA256

60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f
SHA512

96d3d788333b723b48471507b6753afb5adda728a9b652b73c86bb9e6479883e0e824dc89665705f45443fdae7c3fc6bca70c72a5e97ea249330875ded7d6835
SSDEEP

6144:lizibWE0UZC95HLdPT7/viy/8nxlc4se1MW2wDa92znU09:lciy8ClCfL1qWPDiwnU4

Score

8^/10

evasion

Disables RegEdit via registry modification 1 IoCs

Processes:

60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe

Disables Task Manager via registry modification
evasion
Runs net.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe

pid process

1772 60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe

pid	process
1772	60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exenet.exe

description	pid	process	target process
PID 1772 wrote to memory of 2036	1772	60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe	net.exe
PID 1772 wrote to memory of 2036	1772	60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe	net.exe
PID 1772 wrote to memory of 2036	1772	60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe	net.exe
PID 1772 wrote to memory of 2036	1772	60bde27a364531f9f5384ec92c0fa9f7df0ac0dc2ed081cae6c3d7cfc680ae0f.exe	net.exe
PID 2036 wrote to memory of 996	2036	net.exe	net1.exe
PID 2036 wrote to memory of 996	2036	net.exe	net1.exe
PID 2036 wrote to memory of 996	2036	net.exe	net1.exe
PID 2036 wrote to memory of 996	2036	net.exe	net1.exe

C:\Windows\SysWOW64\net.exe
net stop sharedaccess
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:996

memory/996-58-0x0000000000000000-mapping.dmp

Download
memory/1772-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download