1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

Analysis

max time kernel
356s
max time network
407s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe
Size

153KB
MD5

3c0952309dea28bfef5bf0527411bc9e
SHA1

5c7a0b11c2a91823143214fef2a786c5ef6fd4b9
SHA256

1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527
SHA512

ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584
SSDEEP

3072:Wy277Ci+HMm3nQuTz5U0Ofr2AUx4bzWKeH3tMCmzsaz:Wy27mi+Hj3Qg112rhUxl/3thEse

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 5 IoCs

pid	Process
2796	ssms.exe
1416	ssms.exe
4560	ssms.exe
532	ssms.exe
3856	ssms.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe

Runs .reg file with regedit 4 IoCs

pid	Process
1684	regedit.exe
1944	regedit.exe
4524	regedit.exe
2336	regedit.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 2484	3648	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe	83
PID 3648 wrote to memory of 2484	3648	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe	83
PID 3648 wrote to memory of 2484	3648	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe	83
PID 2484 wrote to memory of 1684	2484	cmd.exe	84
PID 2484 wrote to memory of 1684	2484	cmd.exe	84
PID 2484 wrote to memory of 1684	2484	cmd.exe	84
PID 3648 wrote to memory of 2796	3648	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe	85
PID 3648 wrote to memory of 2796	3648	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe	85
PID 3648 wrote to memory of 2796	3648	1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe	85
PID 2796 wrote to memory of 3944	2796	ssms.exe	86
PID 2796 wrote to memory of 3944	2796	ssms.exe	86
PID 2796 wrote to memory of 3944	2796	ssms.exe	86
PID 3944 wrote to memory of 1944	3944	cmd.exe	87
PID 3944 wrote to memory of 1944	3944	cmd.exe	87
PID 3944 wrote to memory of 1944	3944	cmd.exe	87
PID 2796 wrote to memory of 1416	2796	ssms.exe	88
PID 2796 wrote to memory of 1416	2796	ssms.exe	88
PID 2796 wrote to memory of 1416	2796	ssms.exe	88
PID 1416 wrote to memory of 1420	1416	ssms.exe	89
PID 1416 wrote to memory of 1420	1416	ssms.exe	89
PID 1416 wrote to memory of 1420	1416	ssms.exe	89
PID 1416 wrote to memory of 4560	1416	ssms.exe	90
PID 1416 wrote to memory of 4560	1416	ssms.exe	90
PID 1416 wrote to memory of 4560	1416	ssms.exe	90
PID 4560 wrote to memory of 2432	4560	ssms.exe	91
PID 4560 wrote to memory of 2432	4560	ssms.exe	91
PID 4560 wrote to memory of 2432	4560	ssms.exe	91
PID 2432 wrote to memory of 4524	2432	cmd.exe	92
PID 2432 wrote to memory of 4524	2432	cmd.exe	92
PID 2432 wrote to memory of 4524	2432	cmd.exe	92
PID 4560 wrote to memory of 532	4560	ssms.exe	93
PID 4560 wrote to memory of 532	4560	ssms.exe	93
PID 4560 wrote to memory of 532	4560	ssms.exe	93
PID 532 wrote to memory of 500	532	ssms.exe	94
PID 532 wrote to memory of 500	532	ssms.exe	94
PID 532 wrote to memory of 500	532	ssms.exe	94
PID 500 wrote to memory of 2336	500	cmd.exe	95
PID 500 wrote to memory of 2336	500	cmd.exe	95
PID 500 wrote to memory of 2336	500	cmd.exe	95
PID 532 wrote to memory of 3856	532	ssms.exe	96
PID 532 wrote to memory of 3856	532	ssms.exe	96
PID 532 wrote to memory of 3856	532	ssms.exe	96

C:\Users\Admin\AppData\Local\Temp\1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe
"C:\Users\Admin\AppData\Local\Temp\1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:1684
- C:\Windows\SysWOW64\ssms.exe
  C:\Windows\system32\ssms.exe 1168 "C:\Users\Admin\AppData\Local\Temp\1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:1944
- - C:\Windows\SysWOW64\ssms.exe
    C:\Windows\system32\ssms.exe 1180 "C:\Windows\SysWOW64\ssms.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\ssms.exe
      C:\Windows\system32\ssms.exe 1148 "C:\Windows\SysWOW64\ssms.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:4524
    - - C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 1152 "C:\Windows\SysWOW64\ssms.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2336
      - C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 1156 "C:\Windows\SysWOW64\ssms.exe"
        6⤵
        Executes dropped EXE
        
        PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
86B

MD5
81f2f44f6ecac84e6336cf272aff53bf

SHA1
24d388235609e7560066b834be91c5407b202b1f

SHA256
b6c9d291084087663b29aa58c8a14f13ec1cb80a499c6ae60cc71002b6376636

SHA512
44efc9c05c4cdeb189308e894734cef5c83b8be80850441989e45c29671facecb7be9504291a6947443da227b35555ecd933136e2e819c20c2ddeafcf01b87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Windows\SysWOW64\ssms.exe

Filesize
153KB

MD5
3c0952309dea28bfef5bf0527411bc9e

SHA1
5c7a0b11c2a91823143214fef2a786c5ef6fd4b9

SHA256
1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

SHA512
ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584

Download Submit
C:\Windows\SysWOW64\ssms.exe

Filesize
153KB

MD5
3c0952309dea28bfef5bf0527411bc9e

SHA1
5c7a0b11c2a91823143214fef2a786c5ef6fd4b9

SHA256
1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

SHA512
ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584

Download Submit
C:\Windows\SysWOW64\ssms.exe

Filesize
153KB

MD5
3c0952309dea28bfef5bf0527411bc9e

SHA1
5c7a0b11c2a91823143214fef2a786c5ef6fd4b9

SHA256
1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

SHA512
ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584

Download Submit
C:\Windows\SysWOW64\ssms.exe

Filesize
153KB

MD5
3c0952309dea28bfef5bf0527411bc9e

SHA1
5c7a0b11c2a91823143214fef2a786c5ef6fd4b9

SHA256
1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

SHA512
ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584

Download Submit
C:\Windows\SysWOW64\ssms.exe

Filesize
153KB

MD5
3c0952309dea28bfef5bf0527411bc9e

SHA1
5c7a0b11c2a91823143214fef2a786c5ef6fd4b9

SHA256
1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

SHA512
ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584

Download Submit
C:\Windows\SysWOW64\ssms.exe

Filesize
153KB

MD5
3c0952309dea28bfef5bf0527411bc9e

SHA1
5c7a0b11c2a91823143214fef2a786c5ef6fd4b9

SHA256
1b5ff7b497e3f3c87cefd640f78e4e92db495f74f987748f3b504d5f34406527

SHA512
ed0e98d03993ecb8c2a7ecb73ba8282868cfdcae24356e00162b46ccf3cccd4c1c1dbb105e98bc586a0f8dadc1b8c8bae4da9b154e83de656687ce7d68182584

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit