6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be

Analysis

max time kernel
140s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 14:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe
Size

229KB
MD5

23601ecaf49849691521c43445c66ba0
SHA1

b3ad45a4dbe5c5ca1a31ab9210a523d47ad69f78
SHA256

6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be
SHA512

c0f863c6ee6e2a8e3035091deefcca9302d1513d13b579a0d61fffc495b18a4b57dcbae928971624258f79e8d3363168cb02e8194814ccc31c1b6c3511e838b7
SSDEEP

6144:K8pQdcDR/t/B5bf77VIe1yKtmvG+6TzdenYg:KYUcDlt/B537qTGv+UenYg

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 2360	4824	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe	80
PID 4824 set thread context of 2360	4824	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe	80

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4824	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2360	4824	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe	80
PID 4824 wrote to memory of 2360	4824	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe	80
PID 4824 wrote to memory of 2360	4824	6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe	80

C:\Users\Admin\AppData\Local\Temp\6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe
"C:\Users\Admin\AppData\Local\Temp\6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe
  "C:\Users\Admin\AppData\Local\Temp\6326d5f602bbbe6dc0216bcb429f0e4ae7ca61ecac1f60734003a78e27d256be.exe"
  2⤵
  - Enumerates system info in registry
  PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-136-0x00000000020B0000-0x00000000020DD000-memory.dmp

Filesize
180KB

Download
memory/4824-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-134-0x0000000000760000-0x000000000078D000-memory.dmp

Filesize
180KB

Download
memory/4824-137-0x0000000000760000-0x000000000078D000-memory.dmp

Filesize
180KB

Download