b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe
Size

33KB
MD5

2540eafe8bba6e9410b069483676a851
SHA1

66c8a4b70d41954a2796708028ed56b8f26b7e72
SHA256

b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5
SHA512

391617f1695d564f2aac9220fa184d2cc519e50b290272d88216e80e84e281f554e2053f858de94a91b445c547a1ba85e4f55baa421195cc0d41dc3d99f56dc5
SSDEEP

384:euH+6ahC6YDUCCR0FaJgffmFdJwYDcRw45H0rikLKY:ek+5AD7BaJgWFda4cJq

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\C93B90.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe

Deletes itself 1 IoCs

pid	Process
936	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1104	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe
1104	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 936	1104	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe	27
PID 1104 wrote to memory of 936	1104	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe	27
PID 1104 wrote to memory of 936	1104	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe	27
PID 1104 wrote to memory of 936	1104	b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe	27

C:\Users\Admin\AppData\Local\Temp\b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe
"C:\Users\Admin\AppData\Local\Temp\b611e61acf59d5c69741d5e43ae53c7a19c8f078370a00f2c1802f567bb639c5.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Deletes itself
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-58-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/936-59-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

Filesize
32KB

Download
memory/936-60-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/936-61-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/936-62-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/1104-54-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/1104-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1104-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download