96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775

Analysis

max time kernel
3s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
Size

48KB
MD5

36ab8582c815d4a36056e5097de105e7
SHA1

7373be2838c6fe129ad93c3f20976c7767fa5715
SHA256

96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775
SHA512

5767835bb50bb17a0a2b1f78f5997d36c2adc55872972ecaf1c40cc739df084cc5f1434fdd4337183629b921eec831064a11c38617ad60c23415f7162cd7941e
SSDEEP

768:fOFT4hx6/jEQgkTwQVWyK4SFJG7z9b1mIdoCFMA6cRVPAHkfShlw4D33vNE:fDxO+kTwQVCGf9bsd/Q8Hdvw4T+

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Npfs\ImagePath = "\\*"	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$NtUninstallKB3383$\2091772345	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
File opened for modification	C:\Windows\$NtUninstallKB3383$\:SummaryInformation	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	1152	WerFault.exe	22

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$NtUninstallKB3383$\:SummaryInformation	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
Token: 35	1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2028	1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe	28
PID 1152 wrote to memory of 2028	1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe	28
PID 1152 wrote to memory of 2028	1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe	28
PID 1152 wrote to memory of 2028	1152	96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe	28

C:\Users\Admin\AppData\Local\Temp\96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe
"C:\Users\Admin\AppData\Local\Temp\96b77c74776ce80dde1bfabdbb67723ccf770efca58e7c6acddaa67ca11e6775.exe"
1⤵
- Sets service image path in registry
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 64
  2⤵
  - Program crash
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-55-0x0000000000400000-0x000000000040C3C0-memory.dmp

Filesize
48KB

Download