a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5

Analysis

max time kernel
151s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe
Size

801KB
MD5

bfd3e95a60688fe62f5ce9736d8e2e02
SHA1

c5139f27ddac2c320ec2fb37942ae2bff5039834
SHA256

a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5
SHA512

1d2b7e31446a2bc42a3e88dac4e129b50e4bc2ddd2a4c524bee7a7502c9a1faf16a99cda092bbbaeb11352f765b93449d065ce71fda100f3230d2737e20caf79
SSDEEP

12288:DnJH4bB927MD9tJ9BaZS3ExLVGaBFHk+s/i6WzLVFssV3mj7Ktwe2HdBS8r06s9s:1y+Mzr8QGZBB9Ci6at0nBvKRs

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4424	svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\svchost.exe"	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\2.bat	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe
File opened for modification	C:\Windows\2.bat	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe
File created	C:\Windows\log.txt	svchost.exe
File opened for modification	C:\Windows\log.txt	svchost.exe
File created	C:\Windows\1.bat	svchost.exe
File opened for modification	C:\Windows\1.bat	svchost.exe
File created	C:\Windows\svchost.exe	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4424	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4424	4032	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe	81
PID 4032 wrote to memory of 4424	4032	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe	81
PID 4032 wrote to memory of 4424	4032	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe	81
PID 4032 wrote to memory of 4832	4032	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe	82
PID 4032 wrote to memory of 4832	4032	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe	82
PID 4032 wrote to memory of 4832	4032	a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe	82
PID 4424 wrote to memory of 2676	4424	svchost.exe	92
PID 4424 wrote to memory of 2676	4424	svchost.exe	92
PID 4424 wrote to memory of 2676	4424	svchost.exe	92
PID 2676 wrote to memory of 2120	2676	cmd.exe	94
PID 2676 wrote to memory of 2120	2676	cmd.exe	94
PID 2676 wrote to memory of 2120	2676	cmd.exe	94
PID 2120 wrote to memory of 4388	2120	net.exe	95
PID 2120 wrote to memory of 4388	2120	net.exe	95
PID 2120 wrote to memory of 4388	2120	net.exe	95
PID 2676 wrote to memory of 3160	2676	cmd.exe	96
PID 2676 wrote to memory of 3160	2676	cmd.exe	96
PID 2676 wrote to memory of 3160	2676	cmd.exe	96
PID 2676 wrote to memory of 4836	2676	cmd.exe	97
PID 2676 wrote to memory of 4836	2676	cmd.exe	97
PID 2676 wrote to memory of 4836	2676	cmd.exe	97
PID 4836 wrote to memory of 1876	4836	net.exe	98
PID 4836 wrote to memory of 1876	4836	net.exe	98
PID 4836 wrote to memory of 1876	4836	net.exe	98
PID 4424 wrote to memory of 2564	4424	svchost.exe	99
PID 4424 wrote to memory of 2564	4424	svchost.exe	99
PID 4424 wrote to memory of 2564	4424	svchost.exe	99
PID 2564 wrote to memory of 1020	2564	cmd.exe	101
PID 2564 wrote to memory of 1020	2564	cmd.exe	101
PID 2564 wrote to memory of 1020	2564	cmd.exe	101
PID 1020 wrote to memory of 4884	1020	net.exe	102
PID 1020 wrote to memory of 4884	1020	net.exe	102
PID 1020 wrote to memory of 4884	1020	net.exe	102
PID 2564 wrote to memory of 1588	2564	cmd.exe	103
PID 2564 wrote to memory of 1588	2564	cmd.exe	103
PID 2564 wrote to memory of 1588	2564	cmd.exe	103
PID 2564 wrote to memory of 2232	2564	cmd.exe	104
PID 2564 wrote to memory of 2232	2564	cmd.exe	104
PID 2564 wrote to memory of 2232	2564	cmd.exe	104
PID 2232 wrote to memory of 2092	2232	net.exe	105
PID 2232 wrote to memory of 2092	2232	net.exe	105
PID 2232 wrote to memory of 2092	2232	net.exe	105

C:\Users\Admin\AppData\Local\Temp\a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe
"C:\Users\Admin\AppData\Local\Temp\a85d3b29e6276abc445e0b55e8f61db26b4fd3a011e4f2f80024ebd6f17543b5.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:4388
  - - C:\Windows\SysWOW64\ftp.exe
      ftp -s:ftp.txt
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\net.exe
      net start sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start sharedaccess
        5⤵
        
        PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:4884
  - - C:\Windows\SysWOW64\ftp.exe
      ftp -s:ftp.txt
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\net.exe
      net start sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start sharedaccess
        5⤵
        
        PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\2.bat
  2⤵
  PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ftp.txt

Filesize
98B

MD5
a5448cae961e4ece06166cdcf4474fdc

SHA1
540d8d755c42c7a122798e425856f10d2fcb5864

SHA256
1d7420068d438d8338af53ae9683e48696d5130eca86e57edb676dafde3a7f1f

SHA512
aeb49ee88bcc7c2015289e373e7b6c1d9fdafee353d274da2a8e1a176741125d60f85ce85bd5dbb882ca468d310737c87b1d7dfa6b66276e4c454b740a543937

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftp.txt

Filesize
98B

MD5
ce7e313a80d5c9b3b696412ba4dccd60

SHA1
8be03f49d248c885e54d37c4fb3b6812972f9bb6

SHA256
86415099ce061e5bd6efff5c22ab590a2f122836b93711ea2065d3e2ebdbc7ae

SHA512
13056a7f920d83fbf92b580b6d35f3c4b8b4940a02de98a7ff9e81883ef07a3a0921b7111706436049957bff169e4bf1ebbed961175ccd0122ac498deab51f1d

Download Submit
C:\Windows\1.bat

Filesize
341B

MD5
39fac996a3390e7d91d1bb6c6b720429

SHA1
683cc54dd4b54c47905d3361c8a9ae15f0b1147a

SHA256
a984e82df55ce73b132c852cf7613caf193a217ba86959a90c3bc133ea38b9a5

SHA512
3a8df16141a85644335d50b727eeb32547414d7d0d47c25116b616501cdcf3318a354c6536497bc0855ba67cd92b54c44fda6e654767eaa288b21c5e3656057c

Download Submit
C:\Windows\1.bat

Filesize
341B

MD5
69136fc711a407eb62928524ceb6a632

SHA1
8445d29c51e6566c6192f4da7a4d3b5ac36cb2af

SHA256
4040e58d400557368be86902ffe3f67c70145f95b0df11e8caaa0ddab7d896bc

SHA512
8fa4394f0eec4a35597bdd445c472212f44519efaa443609b33244ca7f475fe92ca4001e00ee193cede66df8e4b57c1414938d5a353bc2f7abd98e024f4e4f84

Download Submit
C:\Windows\2.bat

Filesize
246B

MD5
561f44a040ce2d3fbdbb2ced19258b60

SHA1
308e39b82c3af05f21091eafff009d8d8964c0ec

SHA256
c61ae338e066ade7ee93db927914d8b0e925255f3f9a1ab253286ba17a5a379f

SHA512
b863ec1add2c032dbbff8594d63ad15e06521749b3988b035ed2e1745ad983f619ac74076ece07a404152aec481f492f8f13259fc34346c8fc7bdf90e2eefd1f

Download Submit
C:\Windows\svchost.exe

Filesize
365KB

MD5
4a5ee1bcc232936d9fda6a7d32c99beb

SHA1
171cc3b399c9a39852ea82f0ee53c5f4f0aaed72

SHA256
e71bc15925ba6a0b21b9d1089ec7a6bc07472c0867310c18c70aba53f32418b3

SHA512
352ef9ff8bede4b5f41be7abcfd79a8a47adac0845ead593f900ebddfab4f3725317bea0ef31039f5ba75a8cb8942ebd2e8ad9b2629b8bce872359744604da27

Download Submit
C:\Windows\svchost.exe

Filesize
365KB

MD5
4a5ee1bcc232936d9fda6a7d32c99beb

SHA1
171cc3b399c9a39852ea82f0ee53c5f4f0aaed72

SHA256
e71bc15925ba6a0b21b9d1089ec7a6bc07472c0867310c18c70aba53f32418b3

SHA512
352ef9ff8bede4b5f41be7abcfd79a8a47adac0845ead593f900ebddfab4f3725317bea0ef31039f5ba75a8cb8942ebd2e8ad9b2629b8bce872359744604da27

Download Submit
memory/1020-149-0x0000000000000000-mapping.dmp

Download
memory/1588-151-0x0000000000000000-mapping.dmp

Download
memory/1876-146-0x0000000000000000-mapping.dmp

Download
memory/2092-154-0x0000000000000000-mapping.dmp

Download
memory/2120-141-0x0000000000000000-mapping.dmp

Download
memory/2232-153-0x0000000000000000-mapping.dmp

Download
memory/2564-147-0x0000000000000000-mapping.dmp

Download
memory/2676-139-0x0000000000000000-mapping.dmp

Download
memory/3160-143-0x0000000000000000-mapping.dmp

Download
memory/4032-137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4032-133-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4388-142-0x0000000000000000-mapping.dmp

Download
memory/4424-132-0x0000000000000000-mapping.dmp

Download
memory/4832-136-0x0000000000000000-mapping.dmp

Download
memory/4836-145-0x0000000000000000-mapping.dmp

Download
memory/4884-150-0x0000000000000000-mapping.dmp

Download