acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987

Analysis

max time kernel
236s
max time network
246s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Size

3.2MB
MD5

6bb28c1ea5194274574f29ec16674869
SHA1

9b9c02da15253ac93ecf11eabcacb316ac7e84d5
SHA256

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987
SHA512

babe19b849fb15284be47b26582285a0bac4d1e6ae328827b4f918a9958a6f15c64fb0dc4088674d43d5b911d3977c0bf2b592ebef0efb1a6599881655f8c3ec
SSDEEP

49152:RVg5tQ7aIIr56/G2WxsGkcq6guq7T5mVNNofLVXNQ2i3GEHxrf1o:fg56DuVkcJguqAVNefLVXNOR2

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\Users\\Admin\\AppData\\Local\\adminControle.exe\""	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\Users\\Admin\\AppData\\Local\\adminControle.exe\""	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

description	pid	process	target process
PID 4376 set thread context of 3516	4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

pid process

3516 acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

pid	process
3516	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

pid	process
4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

pid	process
4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

description	pid	process	target process
PID 4376 wrote to memory of 3516	4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
PID 4376 wrote to memory of 3516	4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
PID 4376 wrote to memory of 3516	4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
PID 4376 wrote to memory of 3516	4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
PID 4376 wrote to memory of 3516	4376	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe	acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe

C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
"C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe
"C:\Users\Admin\AppData\Local\Temp\acdfc3f4c1ba0143ad66c490fec09f797358b40a6b90ff7a8aa1aa4b76fca987.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3516-132-0x0000000000000000-mapping.dmp

Download
memory/3516-133-0x0000000001000000-0x0000000001268000-memory.dmp

Filesize
2.4MB

Download
memory/3516-134-0x0000000001000000-0x0000000001268000-memory.dmp

Filesize
2.4MB

Download
memory/3516-135-0x0000000001000000-0x0000000001268000-memory.dmp

Filesize
2.4MB

Download
memory/3516-136-0x0000000001000000-0x0000000001268000-memory.dmp

Filesize
2.4MB

Download
memory/3516-137-0x0000000001000000-0x0000000001268000-memory.dmp

Filesize
2.4MB

Download