ec4cb2623fbc85bc3aabcad5a1ea93966cc2e61c653b993fa5104021cd0f54f1

Analysis

max time kernel
202s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20A565943964AC488DCCCCB0F12092DB.exe
Size

343KB
MD5

20a565943964ac488dccccb0f12092db
SHA1

d9faa5107f89b543fe0514e2f04f2bb7ad38e176
SHA256

ec4cb2623fbc85bc3aabcad5a1ea93966cc2e61c653b993fa5104021cd0f54f1
SHA512

d033b52c8957a54ba4db5463cbfda607ad080861cce8c4d505bf5bdbd09bfe7a59b6d4af94514cd5b78c48fcf4739f9d2e46cd98c81097da6151e98454e6ab97
SSDEEP

3072:DQ8Jstxp5/YDHh8fzYQYwRVyv6MIWoy+hdEdZTpDbexB7sg+Rhtk7v:UBxpkhFQt4v67oA6rgsrIL

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1014a921.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1014a921.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*014a92 = "C:\\1014a921\\1014a921.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1014a921 = "C:\\Users\\Admin\\AppData\\Roaming\\1014a921.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*014a921 = "C:\\Users\\Admin\\AppData\\Roaming\\1014a921.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1014a92 = "C:\\1014a921\\1014a921.exe"	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

20A565943964AC488DCCCCB0F12092DB.exe

pid process

568 20A565943964AC488DCCCCB0F12092DB.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

20A565943964AC488DCCCCB0F12092DB.exe

pid process

568 20A565943964AC488DCCCCB0F12092DB.exe

pid	process
568	20A565943964AC488DCCCCB0F12092DB.exe

pid	process
568	20A565943964AC488DCCCCB0F12092DB.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

20A565943964AC488DCCCCB0F12092DB.exe

description	pid	process	target process
PID 568 wrote to memory of 788	568	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe
PID 568 wrote to memory of 788	568	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe
PID 568 wrote to memory of 788	568	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe
PID 568 wrote to memory of 788	568	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe
"C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
2⤵
- Drops startup file
- Adds Run key to start application
PID:788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/568-56-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/568-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/788-55-0x0000000000000000-mapping.dmp

Download
memory/788-59-0x0000000074A41000-0x0000000074A43000-memory.dmp

Filesize
8KB

Download
memory/788-60-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download