0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe
Size

180KB
MD5

1e4216c321658e3128f2c5f44dac6265
SHA1

bdf7d6116427080a6c70b952c5f19c25946be52b
SHA256

0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e
SHA512

ae0750438729a0fd1f306c2784451508fd2eaa7ad3339a30c2f95da6bff4bbd4181e0a15f7906286ff9821d8887f72faba21708b53c1a6d7e2a53b1cf5fb7dd6
SSDEEP

3072:fxG4fzELIMy29NBnXhLz6HVBaEJxVDn0xQSmVPU13qe9gGLf:fxLz6jB6ffn0uSmJE3qe99

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\geserewacge = "C:\\Users\\Admin\\geserewacge.exe"	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 112 set thread context of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1116	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27
PID 112 wrote to memory of 1116	112	0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe	27

C:\Users\Admin\AppData\Local\Temp\0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe
"C:\Users\Admin\AppData\Local\Temp\0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdf475b4d6c025264c2cde5c8558706fe2d96756c1a93bdc8f765944008699e.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-56-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-57-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-59-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-61-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-63-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-64-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-67-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-68-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download
memory/1116-69-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1116-70-0x0000000004000000-0x0000000004014000-memory.dmp

Filesize
80KB

Download