253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57

Analysis

max time kernel
38s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe
Size

48KB
MD5

1dbd9c7b592d36c2186a45537acf3e37
SHA1

852437a38aaeb5206b569ed4cf0104b1c9ff2472
SHA256

253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57
SHA512

8bc7515f4e6d628b49d910b7a12269577feaec98293e7e544d85f5badc684bab148cf1381f2dadde8e9eaadd51a726ac55da7060c7cf46f8e376974724b12dce
SSDEEP

768:KYNDxlviJhk8CfGI2i/W8mCrgy6GpDLBf81vTTxMu9P7r3DRXbCe+9qIYnC:KYN9lviH4fGxF8m+9r3BE1r9f9PP3Dot

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

netsh.exe

pid process

1348 netsh.exe

pid	process
1348	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TabbtnEx = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\3565\\TabbtnEx.exe"	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe

pid	process
1424	253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe
1424	253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe

description	pid	process	target process
PID 1424 wrote to memory of 1348	1424	253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe	netsh.exe
PID 1424 wrote to memory of 1348	1424	253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe	netsh.exe
PID 1424 wrote to memory of 1348	1424	253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe	netsh.exe
PID 1424 wrote to memory of 1348	1424	253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe
"C:\Users\Admin\AppData\Local\Temp\253ea6a2f3528bc424adf1ccae8a16b55e92f4b7b7efcb0c8af21aa29e937e57.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Deletes itself
- Adds Run key to start application
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\3565\cf69488d
Filesize
32B

MD5
37c6390dd905b3159cc5be0b513360df

SHA1
d1fc5d4c936a0e5d39492b8d8871a3ec551915a9

SHA256
30bfe203488ff6f7f275ae0c4187467599b1b9005f01e48edd95d0feb8b842b0

SHA512
cef48ef4725bd62ed5b4d36296fa047c48d842b6e9d5a2f16e9cbc11244cfa42088dd0cc47116c1c3a041c439026bb03a5ce73c2e3e05fae65d5efcffb526391

Download Submit
C:\Users\Admin\AppData\Roaming\-815183731
Filesize
206B

MD5
186348ca4e57702f4493bcf016b12059

SHA1
e611398ba9ef1c4dc5cbac59841d9153f72596af

SHA256
75dabb2fff691accce919f5d67aa76704926ca4768d3109ba5704f0c451feed9

SHA512
9dd730512ace275014c0967f08c2bdba95afba457556dcdbcf653f3109ed051ca68e8bb583878b61442a03196980f44c2511bdc14305c788d32fc76c7b94f005

Download Submit
memory/1348-58-0x0000000000000000-mapping.dmp

Download
memory/1348-63-0x0000000001340000-0x000000000135B000-memory.dmp

Filesize
108KB

Download
memory/1348-64-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/1424-54-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/1424-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1424-56-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/1424-57-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1424-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download