cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae

Analysis

max time kernel
152s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae.exe
Size

8KB
MD5

b77cb8b19c732b9585e916cb08d5533f
SHA1

0fa6a895afd4fdd69d73f6337168f6783dedaf11
SHA256

cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae
SHA512

0d7b5a6f8c61b5b3ed09f8e3663442d902e8c015704c9d11c3d7454e0fdd41536caf6ee196259c31543b2c17abe691d90e9fd5b66a878483b2ab72ae5de0883a
SSDEEP

96:SaLnD6vAnohJ0iii319eU7soRgt4tvtbtlGTCeC/5ox16Hx1x:SaTD6onob91qGFlvN/5HB

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4724	reg.exe

Runs .reg file with regedit 2 IoCs

pid	Process
876	regedit.exe
4788	regedit.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4828	2748	cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae.exe	81
PID 2748 wrote to memory of 4828	2748	cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae.exe	81
PID 2748 wrote to memory of 4828	2748	cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae.exe	81
PID 4828 wrote to memory of 876	4828	cmd.exe	82
PID 4828 wrote to memory of 876	4828	cmd.exe	82
PID 4828 wrote to memory of 876	4828	cmd.exe	82
PID 4828 wrote to memory of 4564	4828	cmd.exe	83
PID 4828 wrote to memory of 4564	4828	cmd.exe	83
PID 4828 wrote to memory of 4564	4828	cmd.exe	83
PID 4828 wrote to memory of 1108	4828	cmd.exe	84
PID 4828 wrote to memory of 1108	4828	cmd.exe	84
PID 4828 wrote to memory of 1108	4828	cmd.exe	84
PID 4828 wrote to memory of 4788	4828	cmd.exe	85
PID 4828 wrote to memory of 4788	4828	cmd.exe	85
PID 4828 wrote to memory of 4788	4828	cmd.exe	85
PID 4828 wrote to memory of 4724	4828	cmd.exe	86
PID 4828 wrote to memory of 4724	4828	cmd.exe	86
PID 4828 wrote to memory of 4724	4828	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae.exe
"C:\Users\Admin\AppData\Local\Temp\cd5918b83bd6d105c80d87483dea67ed2a09c78be6f1d31ca8c146cbee4259ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240572312.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s Set.reg
    3⤵
    - Runs .reg file with regedit
    PID:876
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s shellex.dll
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s 2k.reg
    3⤵
    - Runs .reg file with regedit
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\KasperskyLab\AVP6\environment /v DataRoot /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp" /f
    3⤵
    - Modifies registry key
    PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240572312.bat

Filesize
724B

MD5
8bbb6d0133b1f7a9fdef79a1ce4832e0

SHA1
0575a794d0517ab1e8e6c7231a7623bbad8ac2ec

SHA256
3aacb75151e1af41839762ca4edaa471367aa82913fe6d417ad047c8c44faf52

SHA512
6841a6f12f7a6f5594a763971df8c6db073a65341b094fd098396b3ee4c8fd1004313a14b8aa4c95d4cdf7c5e567bb76a7b509cb3a567e1fcfa0a66f281bbad9

Download Submit