e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e

Analysis

max time kernel
91s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
Size

431KB
MD5

d0555892523bc2949373e803ed1f1703
SHA1

e1e5d5e0440359315dc9e69ee3e3df2dde6af30f
SHA256

e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e
SHA512

ec071314b4a902fd31060d19d010d19f7f0099788988e069230f758f55d8ccc7c55aca819492d7504c7a12adafe697d25170e16a27c3a96360dc8bf9d5c8568a
SSDEEP

12288:xCDebz10dvYQZ45LhjSJhEyOo1hUF3V8C+guFythEeZArV:9W/m5LQJIo4rgguq7qrV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3496	SHOCKW~1.EXE
5116	SHOCKW~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 5116	3496	SHOCKW~1.EXE	82

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3496	SHOCKW~1.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3496	4376	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	81
PID 4376 wrote to memory of 3496	4376	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	81
PID 4376 wrote to memory of 3496	4376	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	81
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82
PID 3496 wrote to memory of 5116	3496	SHOCKW~1.EXE	82

C:\Users\Admin\AppData\Local\Temp\e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
"C:\Users\Admin\AppData\Local\Temp\e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
    3⤵
    - Executes dropped EXE
    PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
memory/3496-135-0x0000000000000000-mapping.dmp

Download
memory/4376-132-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/4376-133-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/4376-140-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/4376-147-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/5116-141-0x0000000000000000-mapping.dmp

Download
memory/5116-142-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5116-145-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5116-148-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download