be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda

Analysis

max time kernel
26s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe
Size

32KB
MD5

b09797f37e1b6b2f9d94b0087894712c
SHA1

9e84857a9585a6c52bbf82bb5db628f70f893df9
SHA256

be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda
SHA512

d85f2a9bba152a974409fcfa40acd486f98d9148d98deec045a0d750ccbbb839c58829140142fea3b5d2794da668df20d6c1eefbbb1b791006b759c0d65446d8
SSDEEP

384:UjbIe5c9lx/SVJ6vBDrGBZF+WFAq8pxzx6X65qmADUdRkd0yntlOep4W:UjbjcnBgJgD6ZFZAqwx6X65qmNR2z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	ld08.exe

Deletes itself 1 IoCs

pid	Process
1444	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ld08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysldtray = "c:\\windows\\ld08.exe"	ld08.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ld08.exe	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe
File created	\??\c:\windows\ld08.exe	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1352	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	27
PID 1028 wrote to memory of 1352	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	27
PID 1028 wrote to memory of 1352	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	27
PID 1028 wrote to memory of 1352	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	27
PID 1028 wrote to memory of 1444	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	28
PID 1028 wrote to memory of 1444	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	28
PID 1028 wrote to memory of 1444	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	28
PID 1028 wrote to memory of 1444	1028	be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe	28

C:\Users\Admin\AppData\Local\Temp\be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe
"C:\Users\Admin\AppData\Local\Temp\be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1028
- \??\c:\windows\ld08.exe
  c:\windows\ld08.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\43214354.bat
  2⤵
  - Deletes itself
  PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ld08.exe

Filesize
32KB

MD5
b09797f37e1b6b2f9d94b0087894712c

SHA1
9e84857a9585a6c52bbf82bb5db628f70f893df9

SHA256
be52f5a7566cf3a8af68afac671792cb46ae4b2bdff187c414a903bdc5564eda

SHA512
d85f2a9bba152a974409fcfa40acd486f98d9148d98deec045a0d750ccbbb839c58829140142fea3b5d2794da668df20d6c1eefbbb1b791006b759c0d65446d8

Download Submit
\??\c:\43214354.bat

Filesize
306B

MD5
ade355401fb8d4a5b6bebfc0ea7720a4

SHA1
c250197c34e762bc7b39317f519e30f2db3b3b56

SHA256
ea469d9c5d76e63d3a2e18df9e28e5812c268d1090466bdee00fcbebbb02019e

SHA512
617ab7c9caddbda97595337df6d5a4bb3eec0644b24d2f940bc3a68f3db13c56f39d7c14bb361182d2dcd2216482a0ffae738a5614aaaabcfac6481773edd978

Download Submit
memory/1028-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download