97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0

Analysis

max time kernel
136s
max time network
93s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
Size

406KB
MD5

c08673f7e77cd6df0429280a371441d7
SHA1

0ca657c5ad3ba4f7d6f125cc3add7060c6347952
SHA256

97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0
SHA512

24919df9645962c0c6c58129b93ba20b37d39071176347837261616bd41337a2e1da0b3306af9f4a6bd3021be7002b3e40f9b7542941fb36ecbc762dbf7cd333
SSDEEP

3072:0wzE3HTgKEB/pMN1m1BxpbKdHFj9TiZHgCITUhoTRo7BZcOe4Sm3o+9Amwku5SUC:hE3zgJRpMutbqMHgCayne4SkQ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "ÄIJKLMNOPQRSTUVWXYZ{\|}~\x7f€\u0081‚ƒ„…†‡ˆ‰Š‹Œ\u008dŽ\u008f\u0090‘’“”•–—˜™Š›Œ\u009dŽŸ\u00a0¡¢£¤¥¦§¨©ª«¬\u00ad®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\a\b\t\n\v\f\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'\x0e"	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update = "ÄIJKLMNOPQRSTUVWXYZ{\|}~\x7f€\u0081‚ƒ„…†‡ˆ‰Š‹Œ\u008dŽ\u008f\u0090‘’“”•–—˜™Š›Œ\u009dŽŸ\u00a0¡¢£¤¥¦§¨©ª«¬\u00ad®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\a\b\t\n\v\f\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'\x0e"	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "ÄIJKLMNOPQRSTUVWXYZ{\|}~\x7f€\u0081‚ƒ„…†‡ˆ‰Š‹Œ\u008dŽ\u008f\u0090‘’“”•–—˜™Š›Œ\u009dŽŸ\u00a0¡¢£¤¥¦§¨©ª«¬\u00ad®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\a\b\t\n\v\f\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'\x0e"	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\# ::1 localhost	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1888	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
1888	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
1888	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
1888	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
1888	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe

C:\Users\Admin\AppData\Local\Temp\97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe
"C:\Users\Admin\AppData\Local\Temp\97401f630fb8ae36927519a7691a8e78662722e3dfc120bfc1fbcabcdba017f0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1888-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1888-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download