63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c

Analysis

max time kernel
304s
max time network
364s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe
Size

122KB
MD5

1970aabc1bb4d1888523bba7448c9824
SHA1

a41019153acfa6790e92966e50d75f609d574222
SHA256

63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c
SHA512

ff2b1753213192b83937a1d0c15681fbc1a770a52a73b2cf967f1b71cc701f3f25cf1cc06fc3a18b02a6a8745d8b09d603d3b68693d0b621f0e10f9f4a26ffb1
SSDEEP

3072:JNzJ+JITYuxkkCJm1awxASbu9aVBbk7k9w3SAnf/G9:JhJ+ejUm1PZfV9w3SAnf+

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slrznz68 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AutoIt3Help.exe\""	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe
4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81
PID 4972 wrote to memory of 4488	4972	63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe	81

C:\Users\Admin\AppData\Local\Temp\63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe
"C:\Users\Admin\AppData\Local\Temp\63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe
  "C:\Users\Admin\AppData\Local\Temp\63d7cca7b05348dc7960fe18bb3f7d2f5f604a8b91111e8e6b1b9ad9f64b629c.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4488-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4488-135-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4488-137-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-132-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-136-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-138-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download