5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f

Analysis

max time kernel
243s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
Size

3.3MB
MD5

2f659e2106fba20995d5e0ac507327cb
SHA1

70ce6c75a7ac3d161b619b2173b44caccf3d6766
SHA256

5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f
SHA512

931e0c993255743dd50f9040962a9689102f57e02ad0ce7776d109f972d4b48bdd413dc1c3d06ef18b02bd9a6dd0497a7604df1a182023f669e0a4b64f3adb6b
SSDEEP

49152:XVg5tQ7a4+u5nW59NeEEsuteuw/XqU3WrC+O8KoR1PoO2+4vN27rdzwojaEtVGSl:lg56785nLzceuuAC6C27Bzi6GE

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\Users\\Admin\\AppData\\Local\\adminControle.exe\""	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\Users\\Admin\\AppData\\Local\\adminControle.exe\""	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 3884	5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe	82

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3884	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3884	5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe	82
PID 5020 wrote to memory of 3884	5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe	82
PID 5020 wrote to memory of 3884	5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe	82
PID 5020 wrote to memory of 3884	5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe	82
PID 5020 wrote to memory of 3884	5020	5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe	82

C:\Users\Admin\AppData\Local\Temp\5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
"C:\Users\Admin\AppData\Local\Temp\5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe
  "C:\Users\Admin\AppData\Local\Temp\5480d445463bc0d3394fe530cf3432f1580f4946a4d9546e5b0806312b0ba26f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3884-133-0x0000000000C00000-0x0000000000E68000-memory.dmp

Filesize
2.4MB

Download
memory/3884-134-0x0000000000C00000-0x0000000000E68000-memory.dmp

Filesize
2.4MB

Download
memory/3884-135-0x0000000000C00000-0x0000000000E68000-memory.dmp

Filesize
2.4MB

Download
memory/3884-136-0x0000000000C00000-0x0000000000E68000-memory.dmp

Filesize
2.4MB

Download
memory/3884-137-0x0000000000C00000-0x0000000000E68000-memory.dmp

Filesize
2.4MB

Download