764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef

Analysis

max time kernel
86s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe
Size

79KB
MD5

570c1be790ea1ef137e5991390eff235
SHA1

c4f4a9f50441153d2cc6cf946aa9b738ae8bae84
SHA256

764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef
SHA512

247308fb3a09c4cc4e64c759575af7d4f63e78bc2f42a24c6d4f9d1a76f3efa91e8d56aff1664303a37bab20db5f7e65dad7a31c8cf3d31aef744878e06f02fc
SSDEEP

1536:/kxDZEMDTHlRPw1b0q8aWxHrCkdmiC6YOwHLGo5g6O6qAgLVN4PFhIGJpAoIMlDe:/kx6M3XwF0qJWxHr3IiG/Ll5gyqAgLVs

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1224	764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1224	764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1272	1224	764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe
  "C:\Users\Admin\AppData\Local\Temp\764dc344497ecfd81bea46fe59d71c7feae6d744cf5df9911360aef282d1aaef.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-54-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1224-55-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1224-56-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1224-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1224-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download