946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe
Size

228KB
MD5

c3fbcf793d296649266d03d5e4c7e3f2
SHA1

5537cde4a6bc4b0c26f3c45becb604d3e41de73e
SHA256

946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15
SHA512

e6d7b125479e5440862f4ea999d6e977fbab6982c241f5fc5747fb186a6321065e48804600dbb5c3848518fcd72cc2e59a00b844604e4e6e249610e2c4b9171a
SSDEEP

3072:me6SHjZSAf0BxqoY+XOKGTqp5dZ4T2dlJkT1Ddj4/j8oHxSj:AEjg0uzCKGGNZ4TEMhZw8sSj

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Al3x4ndre44

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe = "C:\\Program Files\\Startup App\\"	946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2024	946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe

C:\Users\Admin\AppData\Local\Temp\946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe
"C:\Users\Admin\AppData\Local\Temp\946e32491f8b03bfc4dd2d61448cc65943e56baa8758ee712d4adc9a2c37ab15.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-56-0x0000000000426000-0x0000000000437000-memory.dmp

Filesize
68KB

Download
memory/2024-57-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-58-0x0000000000426000-0x0000000000437000-memory.dmp

Filesize
68KB

Download