eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055

Analysis

max time kernel
38s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe
Size

667KB
MD5

184df78faee941f344c53b8230955567
SHA1

6b376c136ebbcac85b8ee7d3cd38661ffd1d7039
SHA256

eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055
SHA512

6f247ed19291956c490c71f128e8aa128b350a204fe683a1b0767c89ee94e1fcb77abe0929b0b8ac99f82efb418e0882a34cda0218a74ed4fcef097846ad6325
SSDEEP

12288:PRpCPTbOwWRAEJhq78fc7LMoPcbafYY/zgB7bpgmhquTyD4:PqOw2Auq78f6CagTBHe1Ay

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinInet = "C:\\WINDOWS\\system\\winlogon.exe"	eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

Drops file in Windows directory 2 IoCs

Processes:

eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system\winlogon.exe	eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe
File created	C:\WINDOWS\system\winlogon.exe	eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

pid process

1076 eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

pid	process
1076	eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe

C:\Users\Admin\AppData\Local\Temp\eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe
"C:\Users\Admin\AppData\Local\Temp\eb9092144aef8760be5d632c006dd801d06247c0e71deb051e74920916eb6055.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download