95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916

Analysis

max time kernel
171s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
Size

22KB
MD5

8f4a5862ea24615252f45eb6daedbf33
SHA1

7d37c349a08f3f7bd5eee0db8f4025e5aedd8d8d
SHA256

95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916
SHA512

7ceb9d0f4e1d5b19254541a678162e0f70b8913eda265620bbfc5a464c9c0bb77298c311a1f8b072b5d2554e1831458a17fda4d93143968db028fc6fa9729225
SSDEEP

384:NiydPE1ajURrCgjmhMfy72wUVA1GfjJqcAh2EEYuHAMM4TY0sN7NupgTKpBEzs4g:NiydPE1ajURmgjmhMfyDUuuIEYqDPTL/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2800	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\common = "C:\\Users\\Admin\\AppData\\Local\\Temp\\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe"	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\common = "C:\\Program Files (x86)\\Common Files\\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe"	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
File opened for modification	C:\Program Files (x86)\Common Files\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2800	1532	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe	90
PID 1532 wrote to memory of 2800	1532	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe	90
PID 1532 wrote to memory of 2800	1532	95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe	90

C:\Users\Admin\AppData\Local\Temp\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
"C:\Users\Admin\AppData\Local\Temp\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Common Files\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe
  "C:\Program Files (x86)\Common Files\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe" C:\Users\Admin\AppData\Local\Temp\95CEFB~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe

Filesize
22KB

MD5
8f4a5862ea24615252f45eb6daedbf33

SHA1
7d37c349a08f3f7bd5eee0db8f4025e5aedd8d8d

SHA256
95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916

SHA512
7ceb9d0f4e1d5b19254541a678162e0f70b8913eda265620bbfc5a464c9c0bb77298c311a1f8b072b5d2554e1831458a17fda4d93143968db028fc6fa9729225

Download Submit
C:\Program Files (x86)\Common Files\95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916.exe

Filesize
22KB

MD5
8f4a5862ea24615252f45eb6daedbf33

SHA1
7d37c349a08f3f7bd5eee0db8f4025e5aedd8d8d

SHA256
95cefb435c46eb90399ae8ff35843ef459b9bf4296f3a9f89f2b813c96e43916

SHA512
7ceb9d0f4e1d5b19254541a678162e0f70b8913eda265620bbfc5a464c9c0bb77298c311a1f8b072b5d2554e1831458a17fda4d93143968db028fc6fa9729225

Download Submit
memory/2800-132-0x0000000000000000-mapping.dmp

Download