74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4

Analysis

max time kernel
111s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe
Size

427KB
MD5

c71a4fb9bdca2711867b828d40142db0
SHA1

4417d5d471455a8959d13b480db4124780056535
SHA256

74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4
SHA512

f1ffeabd6c48602b8b8a6a4e07d7472472ffb21179369e5296ae9f636761286ff81406f14e6d17c0dd6d4f0337f1f4f9379208523c8973d6673169c09ef40226
SSDEEP

12288:xDA2PW7GdWlT3VWgWpsR3+31/9pbMcaJmpvHtAburqwr/:5Au+C0rVz3R3CZ/Ta8NAburqu/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2576	xghBE73.tmp
4536	xghBE73.tmp
4424	6r4C7F8.tmp

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe\""	6r4C7F8.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6r4C7F8.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe\""	6r4C7F8.tmp
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	6r4C7F8.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2576	2340	74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe	83
PID 2340 wrote to memory of 2576	2340	74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe	83
PID 2340 wrote to memory of 2576	2340	74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe	83
PID 2576 wrote to memory of 4536	2576	xghBE73.tmp	84
PID 2576 wrote to memory of 4536	2576	xghBE73.tmp	84
PID 2576 wrote to memory of 4536	2576	xghBE73.tmp	84
PID 2576 wrote to memory of 4424	2576	xghBE73.tmp	85
PID 2576 wrote to memory of 4424	2576	xghBE73.tmp	85
PID 2576 wrote to memory of 4424	2576	xghBE73.tmp	85
PID 2576 wrote to memory of 4148	2576	xghBE73.tmp	86
PID 2576 wrote to memory of 4148	2576	xghBE73.tmp	86
PID 2576 wrote to memory of 4148	2576	xghBE73.tmp	86

C:\Users\Admin\AppData\Local\Temp\74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe
"C:\Users\Admin\AppData\Local\Temp\74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\xghBE73.tmp
  C:\Users\Admin\AppData\Local\Temp\xghBE73.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\xghBE73.tmp
    C:\Users\Admin\AppData\Local\Temp\xghBE73.tmp
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\6r4C7F8.tmp
    C:\Users\Admin\AppData\Local\Temp\6r4C7F8.tmp "C:\Users\Admin\AppData\Local\Temp\74e15760764f5a20bc3ad136da03870d5d98e0e164935b7533492a1a4d866ca4.exe" 3 update update
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6r4C7F8.tmp

Filesize
34KB

MD5
91e85bdf8f3e7df5c243126fda9122a3

SHA1
8158cf5797085e91fda1edd0fb9b5890a4178899

SHA256
53cce0fd9285ec1696922d0da8f249ffad078a3afbab349bf864209ae06c2230

SHA512
c1327669fd1279d0f053f8eb4d7304002c23cdf4b9641e8eb1041fedef0267430afa211be72297ef1e220c2f332a00b533219662cda4f4833303ffb79fc65eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghBE73.tmp

Filesize
75KB

MD5
39b746ac9c4b1dd90d7423b68a769746

SHA1
f791b078e79f1388b00b13c2c99969b22ea5c9f6

SHA256
10c9ee25bdc27e6b2acbdaf9c50289a8f3fcd5e04eafbe789f1e4b652fcc2344

SHA512
c163942bab20484a4321cafa72d5632644da14f5f85283838763e35a7114b6b0833e90761bd2d280a0797f7fa059ab345a8f803167d06197c5f374835b235206

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghBE73.tmp

Filesize
75KB

MD5
39b746ac9c4b1dd90d7423b68a769746

SHA1
f791b078e79f1388b00b13c2c99969b22ea5c9f6

SHA256
10c9ee25bdc27e6b2acbdaf9c50289a8f3fcd5e04eafbe789f1e4b652fcc2344

SHA512
c163942bab20484a4321cafa72d5632644da14f5f85283838763e35a7114b6b0833e90761bd2d280a0797f7fa059ab345a8f803167d06197c5f374835b235206

Download Submit