de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084

Analysis

max time kernel
127s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe
Size

39KB
MD5

01e7d31d138ff2042cd33edfc49309c0
SHA1

f5943837db53d811607dcb3b5de6df7848520602
SHA256

de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084
SHA512

3b965a964fe3f1eaa0fc8903a80ca8fe88de6b29a33a90dc820dc3181b26460a40be0c8f14cdded3aa37dc16214ae61a24811941c04dc1bd4ff983899982be34
SSDEEP

768:043Sx/WFl6UEDOasLmvWEKFV2FnFXCkLMeD5bmHjKS:04i4feUKKXen0YFyHO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe"	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 584	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe	25
PID 1452 wrote to memory of 2008	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe	26
PID 1452 wrote to memory of 2008	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe	26
PID 1452 wrote to memory of 2008	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe	26
PID 1452 wrote to memory of 2008	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe	26
PID 1452 wrote to memory of 2008	1452	de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe	26

C:\Users\Admin\AppData\Local\Temp\de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe
"C:\Users\Admin\AppData\Local\Temp\de88be691f8a97e7fbb468efd82334b45d791247dddfd51f2c0772b125f1a084.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1
  2⤵
  PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-60-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/1452-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1452-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1452-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1452-59-0x0000000002000000-0x0000000002017000-memory.dmp

Filesize
92KB

Download
memory/1452-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1452-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1452-63-0x0000000002000000-0x0000000002017000-memory.dmp

Filesize
92KB

Download