3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb

Analysis

max time kernel
186s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
Size

140KB
MD5

e8b426b22f61863f3b21eaf0326497b8
SHA1

4a438c5d3459abc06d9d9d065b38c2770c134200
SHA256

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb
SHA512

0e19162b96daa90ce1306acf45379024537dc594a797ec98567c938b9f2f4ecfa500bb42c1edf35ef969fe1f72c638e29176719a707c28b960ca274c4d1bcccf
SSDEEP

1536:TN7+PoYPAXcjhDIALxW2+YOCfaTRipAoq7JrxLlQjd68TkNY5YeMRY8Wx7Et8TkN:wPxPGcdD1LxL+PCitiWapf5zMgxkc

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

description	pid	process	target process
PID 3052 set thread context of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

pid	process
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
4356	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

pid process

3052 3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

pid	process
3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

description	pid	process	target process
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
PID 3052 wrote to memory of 4356	3052	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe	3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe

C:\Users\Admin\AppData\Local\Temp\3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
"C:\Users\Admin\AppData\Local\Temp\3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe
"C:\Users\Admin\AppData\Local\Temp\3d6d39b74144319e6ef312a2933a085225c29c72b330736bf4b80a494c4fabdb.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4356-134-0x0000000000000000-mapping.dmp

Download
memory/4356-135-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4356-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4356-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4356-139-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4356-144-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/4356-145-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download