ec4cb2623fbc85bc3aabcad5a1ea93966cc2e61c653b993fa5104021cd0f54f1

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20A565943964AC488DCCCCB0F12092DB.exe
Size

343KB
MD5

20a565943964ac488dccccb0f12092db
SHA1

d9faa5107f89b543fe0514e2f04f2bb7ad38e176
SHA256

ec4cb2623fbc85bc3aabcad5a1ea93966cc2e61c653b993fa5104021cd0f54f1
SHA512

d033b52c8957a54ba4db5463cbfda607ad080861cce8c4d505bf5bdbd09bfe7a59b6d4af94514cd5b78c48fcf4739f9d2e46cd98c81097da6151e98454e6ab97
SSDEEP

3072:DQ8Jstxp5/YDHh8fzYQYwRVyv6MIWoy+hdEdZTpDbexB7sg+Rhtk7v:UBxpkhFQt4v67oA6rgsrIL

Score

10^/10

persistence phishing

Malware Config

Signatures

Detected phishing page
phishing
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1667ee4.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1667ee4.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1667ee = "C:\\e1667ee4\\e1667ee4.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1667ee = "C:\\e1667ee4\\e1667ee4.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1667ee4 = "C:\\Users\\Admin\\AppData\\Roaming\\e1667ee4.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1667ee4 = "C:\\Users\\Admin\\AppData\\Roaming\\e1667ee4.exe"	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-addr.es
11 ip-addr.es
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

20A565943964AC488DCCCCB0F12092DB.exeexplorer.exe

pid process

4828 20A565943964AC488DCCCCB0F12092DB.exe
1500 explorer.exe

flow	ioc
9	ip-addr.es
11	ip-addr.es

pid	process
4828	20A565943964AC488DCCCCB0F12092DB.exe
1500	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

20A565943964AC488DCCCCB0F12092DB.exeexplorer.exe

description	pid	process	target process
PID 4828 wrote to memory of 1500	4828	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe
PID 4828 wrote to memory of 1500	4828	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe
PID 4828 wrote to memory of 1500	4828	20A565943964AC488DCCCCB0F12092DB.exe	explorer.exe
PID 1500 wrote to memory of 4312	1500	explorer.exe	svchost.exe
PID 1500 wrote to memory of 4312	1500	explorer.exe	svchost.exe
PID 1500 wrote to memory of 4312	1500	explorer.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe
"C:\Users\Admin\AppData\Local\Temp\20A565943964AC488DCCCCB0F12092DB.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
3⤵
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-134-0x0000000000000000-mapping.dmp

Download
memory/1500-136-0x0000000000EC0000-0x0000000000EE5000-memory.dmp

Filesize
148KB

Download
memory/4312-137-0x0000000000000000-mapping.dmp

Download
memory/4312-138-0x0000000000750000-0x0000000000775000-memory.dmp

Filesize
148KB

Download
memory/4312-139-0x0000000000750000-0x0000000000775000-memory.dmp

Filesize
148KB

Download
memory/4828-132-0x0000000002190000-0x00000000021B2000-memory.dmp

Filesize
136KB

Download
memory/4828-133-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4828-135-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download