5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
Size

3.7MB
MD5

70159b4ce9c6c87eeaea49a4fc67dffd
SHA1

5cd1e24cc5cb7c3615b6ad3f4a6355da0d55dcfd
SHA256

5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3
SHA512

ce3ff429fe16b4e756a4ef1673efd7f72576fbffb199637feee226173e9884a908f8db0dd63ebac92db4124bfbae6cd671ed0ec4899e67924528dec22011ff41
SSDEEP

98304:ng56cx14Fyc6rEC/dtw4cfD88rdArHDn0H/446:g5j14FKw663fvqrHqH6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\ProgramData\\adminSafe.exe\""	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "\"C:\\ProgramData\\adminSafe.exe\""	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

description	pid	process	target process
PID 1152 set thread context of 1868	1152	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

pid process

1868 5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

pid	process
1868	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

description	pid	process	target process
PID 1152 wrote to memory of 1868	1152	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
PID 1152 wrote to memory of 1868	1152	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
PID 1152 wrote to memory of 1868	1152	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
PID 1152 wrote to memory of 1868	1152	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
PID 1152 wrote to memory of 1868	1152	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe	5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe

C:\Users\Admin\AppData\Local\Temp\5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
"C:\Users\Admin\AppData\Local\Temp\5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe
  "C:\Users\Admin\AppData\Local\Temp\5c443e60a53a7d23095ef1a6c5454fc3d70130046b94c2540cf281a4ec58e1d3.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-132-0x0000000000000000-mapping.dmp

Download
memory/1868-133-0x0000000000800000-0x0000000000B57000-memory.dmp

Filesize
3.3MB

Download
memory/1868-134-0x0000000000800000-0x0000000000B57000-memory.dmp

Filesize
3.3MB

Download
memory/1868-135-0x0000000000800000-0x0000000000B57000-memory.dmp

Filesize
3.3MB

Download
memory/1868-136-0x0000000000800000-0x0000000000B57000-memory.dmp

Filesize
3.3MB

Download
memory/1868-137-0x0000000000800000-0x0000000000B57000-memory.dmp

Filesize
3.3MB

Download