244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe
Size

28KB
MD5

7a44fb476e8384284bbcdb3db820a0e4
SHA1

8364513fc7a8855b9f22b6adcf67347671fe42f7
SHA256

244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96
SHA512

00d899765fed7b95b62ed58d7ec71e128918f167bc8a843c67552098ac5cccef4b352c4430ee60873a1ca5c80c2513b04cbc03ef8022da44f52030d0b90c5a28
SSDEEP

384:Py+ppmj1VlhX4WaXzfwwXNyiDx10jaQpRveBj0YUSHNpXoEqPQ0:Py+ppmjflhXDMzfww9VypRvyLVqp

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google = "C:\\Users\\Admin\\AppData\\Roaming\\BCE7EA.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
900	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1696	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe
1696	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 900	1696	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe	27
PID 1696 wrote to memory of 900	1696	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe	27
PID 1696 wrote to memory of 900	1696	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe	27
PID 1696 wrote to memory of 900	1696	244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe	27

C:\Users\Admin\AppData\Local\Temp\244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe
"C:\Users\Admin\AppData\Local\Temp\244d9fa9e869cf565e9b6ff4c5167c07202f08d27b97d93343d8b4dcbf335f96.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Deletes itself
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-57-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/900-58-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/900-59-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/900-60-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/900-61-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/1696-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1696-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download