a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb

Analysis

max time kernel
230s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
Size

256KB
MD5

6b685c08e134e25700e7a2b775c31a0f
SHA1

30229c20885da61677094702cbbf5b24b03ae764
SHA256

a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb
SHA512

6772e58368d7c78d735b38947b70a07b9d14ff4c8e4551ac3742674f968c6d13a6c658b63fee811fb378c0ed442909fa731da85cf4e1ea43592a48bed1d39c58
SSDEEP

3072:duuKaVoYWUJSX5yYKVgWmUIbQ9DqO7tLIMQkMVttWXAHVOpMNnaJum1s0NTxTOSZ:duQsXUsQ9DJ5SxVi+YvXKSi/duN

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\mstvpnehew.sys	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mstvpnehew.sys	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe

Deletes itself 1 IoCs

pid	Process
1104	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1104	1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe	30
PID 1640 wrote to memory of 1104	1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe	30
PID 1640 wrote to memory of 1104	1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe	30
PID 1640 wrote to memory of 1104	1640	a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe	30

C:\Users\Admin\AppData\Local\Temp\a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe
"C:\Users\Admin\AppData\Local\Temp\a5f401e41d3e51dbf01359a07d3702e3e3bfb8143f798e0aa261b80f89af22cb.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\del708e7b.bat"
  2⤵
  - Deletes itself
  PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del708e7b.bat

Filesize
306B

MD5
fdd1b8b10a5a849003a7a18481c5c36b

SHA1
668ff1e4ebb078ff22f62902a60a3846630cddbf

SHA256
7b3202e079b14568e85ece4d72752ff4acd6bd2b065a598be80b2d07339aafff

SHA512
c371aea7c8fa17918b1e2582bcba23a070311fcaaac398565ce34618a7abc35a1bd7e5a54e6bfbb13fa867dabcaacd09822a4b120419b5acb9c7ed366e966083

Download Submit
memory/1640-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download