ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb

Analysis

max time kernel
181s
max time network
212s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe
Size

191KB
MD5

74a7185a31c1ce2f719eaf05331b19c7
SHA1

5d20b39008d3b12ee3819e67b637724c29d82666
SHA256

ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb
SHA512

e29c52fe9efc1f5b4a7b9b63c082a37ab2d2701fd5800e541e95e9593be1acfcdbc88afb9c4fdae6b151dab0d83e2e195f79e0fc0a6cff1badffb26b0a448393
SSDEEP

3072:0QnKtS05Zj0KoA2n3YE/LAL0Emb4S5/LNgrkruU7h4hAzM+oxekTu7Dbede86Ey8:0QnGS05ZRoz//LAL6b4K/BgOrfzM+Ae6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2000	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe
1172	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2000	1172	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe	28
PID 1172 wrote to memory of 2000	1172	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe	28
PID 1172 wrote to memory of 2000	1172	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe	28
PID 1172 wrote to memory of 2000	1172	ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe	28

C:\Users\Admin\AppData\Local\Temp\ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe
"C:\Users\Admin\AppData\Local\Temp\ba11b70500f41980a515c4cd4d07f6353949528d3fb68d3a4b909d6ad0adfceb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Roaming\taskhost.exe
  C:\Users\Admin\AppData\Roaming\taskhost.exe
  2⤵
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
191KB

MD5
d932fbc57f1b5be44f64febbe571bb08

SHA1
cd0528fb399fee3055820531bdc9a5d824f324bd

SHA256
4a7d5803b028872cee5c93287ddd8263613b5eec6b0c0491fa739a07445a6d81

SHA512
3283dfc59735d28c8744ac247c7940b5f9501db49d6c8b828e42c14a8487209b9fb80add9ac245982e71fe90db22575cc52598b008d8e0515049ff137786d12e

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
191KB

MD5
d932fbc57f1b5be44f64febbe571bb08

SHA1
cd0528fb399fee3055820531bdc9a5d824f324bd

SHA256
4a7d5803b028872cee5c93287ddd8263613b5eec6b0c0491fa739a07445a6d81

SHA512
3283dfc59735d28c8744ac247c7940b5f9501db49d6c8b828e42c14a8487209b9fb80add9ac245982e71fe90db22575cc52598b008d8e0515049ff137786d12e

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
191KB

MD5
d932fbc57f1b5be44f64febbe571bb08

SHA1
cd0528fb399fee3055820531bdc9a5d824f324bd

SHA256
4a7d5803b028872cee5c93287ddd8263613b5eec6b0c0491fa739a07445a6d81

SHA512
3283dfc59735d28c8744ac247c7940b5f9501db49d6c8b828e42c14a8487209b9fb80add9ac245982e71fe90db22575cc52598b008d8e0515049ff137786d12e

Download Submit
memory/1172-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1172-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-62-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2000-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download