a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25

Analysis

max time kernel
146s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe
Size

252KB
MD5

5721e26a193359ca859dbf51aebdb3c7
SHA1

8bc8c529bc3f781f1d6fff28f0062c7c17968794
SHA256

a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25
SHA512

7c4fd748ac618d15c072f037cea47260cd596a9acb1068300157e17db8f55c92ed4ae84fa4412d71d1d7a626861aa42a4cca34893a74ca3b4d96a9845fc1faf9
SSDEEP

3072:61DrUriSnqUCzxJscmBd1sftLhoT38QFVkwNz3e8jQ6bF0FQKYzRBjvqo3JouUaw:61PUHqUCL4MhkVpRugrzRBjSo5vTWr

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\services.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\services.exe cmd.exe
File opened for modification C:\Windows\services.exe cmd.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

580 reg.exe

description	ioc	process
File created	C:\Windows\services.exe	cmd.exe
File opened for modification	C:\Windows\services.exe	cmd.exe

pid	process
580	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe

pid	process
1464	a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe
1464	a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 900	1464	a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe	cmd.exe
PID 1464 wrote to memory of 900	1464	a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe	cmd.exe
PID 1464 wrote to memory of 900	1464	a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe	cmd.exe
PID 1464 wrote to memory of 900	1464	a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe	cmd.exe
PID 900 wrote to memory of 580	900	cmd.exe	reg.exe
PID 900 wrote to memory of 580	900	cmd.exe	reg.exe
PID 900 wrote to memory of 580	900	cmd.exe	reg.exe
PID 900 wrote to memory of 580	900	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe
"C:\Users\Admin\AppData\Local\Temp\a4b0d45b0836eab08b23b0afcac7245bb60996f041f9ca36f5fa9e6518f93e25.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\pocho.bat
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d "C:\Windows\services.exe" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pocho.bat
Filesize
264B

MD5
08f6a689831634d2df4d523156e4a2f0

SHA1
9e3a3d972485010545f17f10b4ebb94459796778

SHA256
4c6bd5c36bb6b067f31da11c290e39d217dd9696a72092d618702592ef5a4701

SHA512
673f55fb67c3f8c035706cf17abac748b0b665762bee8ad08169a64656a98088b37de998b6d1bd98004f6bd7625c5ac4804f94367be6e0caaeb736bd1b826a5b

Download Submit
memory/580-60-0x0000000000000000-mapping.dmp

Download
memory/900-58-0x0000000000000000-mapping.dmp

Download
memory/1464-57-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download