2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57

Analysis

max time kernel
193s
max time network
244s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe
Size

420KB
MD5

140c256bfc0683adb84d71785610e2d4
SHA1

777fba4bbeba7c8fd68bb962436254eae4eb7294
SHA256

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57
SHA512

fbce23ef5babd1785c6b3ab35079a5d99b9fdd9724425aee92ea9f7bd054ea920228c9947347056f9438a155a9c0a85698100a003b8eb634b8da467f9c3018b6
SSDEEP

12288:PlBelJGyZ8wlvJCMt7sCBI4vAJ1Jvs9P:90l4ydBCyK4vih

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe"	2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

pid	process
1664	2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe
1664	2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1244
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

pid process

1664 2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeDebugPrivilege 1244
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1244
1244
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1244
1244

pid	process
1244

description	pid	process
Token: SeDebugPrivilege	1244

pid	process
1244
1244

pid	process
1244
1244

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

pid	process
1664	2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe
1664	2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

pid process

1664 2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe

C:\Users\Admin\AppData\Local\Temp\2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e63a2d367128048b73fde594c509b9cee39f89d81d8f3c1512a7777e22a57.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-59-0x0000000003BF0000-0x0000000003C23000-memory.dmp

Filesize
204KB

Download
memory/1244-58-0x0000000002CC0000-0x0000000002CEF000-memory.dmp

Filesize
188KB

Download
memory/1664-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1664-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1664-57-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1664-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download