3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0

Analysis

max time kernel
150s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
Size

200KB
MD5

1d3360c8ec2fb5d40e9fd8339f337d40
SHA1

88da67db93ce07bce2c082b99ac2d79579f9b27c
SHA256

3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0
SHA512

b7861938114c2d3a2275e7ac1750d61cd3b0bfa55b89b32fbcd894cddc5c1f7e8ed930b704ac95040bcd0e67323201835508059eb599e84c2213ca09811d2b4d
SSDEEP

6144:k00zTTCTee2f2cKpFynL/w6Nz40VCk0unquc6LdMjn:n0BKpUnTw6NziD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D83C22-13DF-FC37-4D1D-15FBA363C062}	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D83C22-13DF-FC37-4D1D-15FBA363C062}\stubpath = "%SystemRoot%\\system32\\V3Medic.exe"	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\V3Medic.exe	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
File opened for modification	C:\Windows\SysWOW64\V3Medic.exe	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4996	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe	84
PID 3428 wrote to memory of 4996	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe	84
PID 3428 wrote to memory of 4996	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe	84
PID 3428 wrote to memory of 4692	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe	97
PID 3428 wrote to memory of 4692	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe	97
PID 3428 wrote to memory of 4692	3428	3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe	97

C:\Users\Admin\AppData\Local\Temp\3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
"C:\Users\Admin\AppData\Local\Temp\3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{C2D83C22-13DF-FC37-4D1D-15FBA363C062}" /f
  2⤵
  PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A9291~1.EXE > nul
  2⤵
  PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...