6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe
Size

323KB
MD5

89c86d570804c9610e2f58a93341dd23
SHA1

502bbfa331191127f71d426c587ca4462c24907d
SHA256

6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc
SHA512

f9e1ea406fea6cc6d3852baaabbbbdb7e3264b7fed033b321e9d86e78e3b009a381bb0ce4b4205716e7f802c2a300bbb8abe27426880888d142557ff3f4e0a88
SSDEEP

6144:WVFNGbvieOGXlJZ1Nh+fyMcdLVOM68p4ozX5:WVFNmvLOUpNakVOt8p4y

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1748	xiaw.exe
1204	xiaw.exe

Deletes itself 1 IoCs

pid	Process
912	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe
692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	xiaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Avto\\xiaw.exe"	xiaw.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1748 set thread context of 1204	1748	xiaw.exe	29

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe
1204	xiaw.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 1688 wrote to memory of 692	1688	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	27
PID 692 wrote to memory of 1748	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	28
PID 692 wrote to memory of 1748	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	28
PID 692 wrote to memory of 1748	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	28
PID 692 wrote to memory of 1748	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	28
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1748 wrote to memory of 1204	1748	xiaw.exe	29
PID 1204 wrote to memory of 1112	1204	xiaw.exe	10
PID 1204 wrote to memory of 1112	1204	xiaw.exe	10
PID 1204 wrote to memory of 1112	1204	xiaw.exe	10
PID 1204 wrote to memory of 1112	1204	xiaw.exe	10
PID 1204 wrote to memory of 1112	1204	xiaw.exe	10
PID 1204 wrote to memory of 1172	1204	xiaw.exe	17
PID 1204 wrote to memory of 1172	1204	xiaw.exe	17
PID 1204 wrote to memory of 1172	1204	xiaw.exe	17
PID 1204 wrote to memory of 1172	1204	xiaw.exe	17
PID 1204 wrote to memory of 1172	1204	xiaw.exe	17
PID 692 wrote to memory of 912	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	30
PID 692 wrote to memory of 912	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	30
PID 692 wrote to memory of 912	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	30
PID 692 wrote to memory of 912	692	6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe	30
PID 1204 wrote to memory of 1212	1204	xiaw.exe	11
PID 1204 wrote to memory of 1212	1204	xiaw.exe	11
PID 1204 wrote to memory of 1212	1204	xiaw.exe	11
PID 1204 wrote to memory of 1212	1204	xiaw.exe	11
PID 1204 wrote to memory of 1212	1204	xiaw.exe	11
PID 1204 wrote to memory of 912	1204	xiaw.exe	30
PID 1204 wrote to memory of 912	1204	xiaw.exe	30
PID 1204 wrote to memory of 912	1204	xiaw.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe
  "C:\Users\Admin\AppData\Local\Temp\6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe
    "C:\Users\Admin\AppData\Local\Temp\6812bf01c6a0dca4b9e8625d135852d27801297dddac1d27aac2529fcaebafbc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe
      "C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe
        
        "C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5bac1522.bat"
      4⤵
      Deletes itself
      PID:912

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5bac1522.bat

Filesize
307B

MD5
027f708930df4e03628425d61632f69b

SHA1
92011c3fbe4d5b82aae371b713cdcf893cc26ca8

SHA256
45c6d6dcaf77218d6be0192589f0921c01b358b26cf7536330dc2c6adabe85ef

SHA512
74336212dc38761940bc0554dba0e7b7caabaff49ce3cd18b5670ecd921b8e9695d82cf063c5e45adb9aa7a178645142a706ef0644c3f65fab41059d5686dbfe

Download Submit
C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe

Filesize
323KB

MD5
9c8ae9da65cfa40f587e55320977863b

SHA1
2ee4b03527ef41e73f2c2c598f17d28e1ca968b5

SHA256
a0e584e18a7014a5fa1807390cf854cd871604fcb2f957493c347024dacb4059

SHA512
17098ac2e91fcba4c729a66a43ee3decb923ea4becf3625104fd519782bea091fa17e05840d7ff5caeb8c1ad04fa034feffeee931ca44912ea06362ca55c5b18

Download Submit
C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe

Filesize
323KB

MD5
9c8ae9da65cfa40f587e55320977863b

SHA1
2ee4b03527ef41e73f2c2c598f17d28e1ca968b5

SHA256
a0e584e18a7014a5fa1807390cf854cd871604fcb2f957493c347024dacb4059

SHA512
17098ac2e91fcba4c729a66a43ee3decb923ea4becf3625104fd519782bea091fa17e05840d7ff5caeb8c1ad04fa034feffeee931ca44912ea06362ca55c5b18

Download Submit
C:\Users\Admin\AppData\Roaming\Avto\xiaw.exe

Filesize
323KB

MD5
9c8ae9da65cfa40f587e55320977863b

SHA1
2ee4b03527ef41e73f2c2c598f17d28e1ca968b5

SHA256
a0e584e18a7014a5fa1807390cf854cd871604fcb2f957493c347024dacb4059

SHA512
17098ac2e91fcba4c729a66a43ee3decb923ea4becf3625104fd519782bea091fa17e05840d7ff5caeb8c1ad04fa034feffeee931ca44912ea06362ca55c5b18

Download Submit
\Users\Admin\AppData\Roaming\Avto\xiaw.exe

Filesize
323KB

MD5
9c8ae9da65cfa40f587e55320977863b

SHA1
2ee4b03527ef41e73f2c2c598f17d28e1ca968b5

SHA256
a0e584e18a7014a5fa1807390cf854cd871604fcb2f957493c347024dacb4059

SHA512
17098ac2e91fcba4c729a66a43ee3decb923ea4becf3625104fd519782bea091fa17e05840d7ff5caeb8c1ad04fa034feffeee931ca44912ea06362ca55c5b18

Download Submit
\Users\Admin\AppData\Roaming\Avto\xiaw.exe

Filesize
323KB

MD5
9c8ae9da65cfa40f587e55320977863b

SHA1
2ee4b03527ef41e73f2c2c598f17d28e1ca968b5

SHA256
a0e584e18a7014a5fa1807390cf854cd871604fcb2f957493c347024dacb4059

SHA512
17098ac2e91fcba4c729a66a43ee3decb923ea4becf3625104fd519782bea091fa17e05840d7ff5caeb8c1ad04fa034feffeee931ca44912ea06362ca55c5b18

Download Submit
memory/692-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-64-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/692-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/692-71-0x0000000000370000-0x00000000003C5000-memory.dmp

Filesize
340KB

Download
memory/912-108-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/1112-88-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/1112-89-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/1112-90-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/1112-91-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/1172-95-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1172-94-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1172-96-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1172-97-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1204-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1212-102-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1212-104-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1212-103-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1212-105-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1688-65-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1688-54-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1748-84-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1748-72-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download