b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30

Analysis

max time kernel
373s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
Size

2.7MB
MD5

1082996e543b9f00f7841b2254be9a90
SHA1

cd6b9218318133960dd1d68b2b5f137c801b550c
SHA256

b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30
SHA512

1f08c033692e7e2cdc4d1c243c49644e145a08c9650db4b0ec8bb97c02a75cd92499f14e78f68e6816489f1fdfa205c6f303f00f1007e04d12bfa8a899a1a1a5
SSDEEP

24576:guerWCdX3zXJ4rjGWmQ6bWytyQjgFJFL6jnGtZjUWU84A0Tnt/72oAUA/JpWlGAx:gXFxbPARSy0TtTPAUA/JFXaS50Tvde6

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remote = "C:\\Windows\\Remote.exe"	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Remote.exe	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File created	C:\Windows\winvnc.exe	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File created	C:\Windows\ultravnc.ini	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File created	C:\Windows\nvidiamanager.sys	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File created	C:\Windows\hosts	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File opened for modification	C:\Windows\hosts	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
File created	C:\Windows\Remote.exe	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 1284	2704	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe	82
PID 2704 wrote to memory of 1284	2704	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe	82
PID 2704 wrote to memory of 1284	2704	b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe	82

C:\Users\Admin\AppData\Local\Temp\b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe
"C:\Users\Admin\AppData\Local\Temp\b0678c6aa59bb78d6953298520654bd7e61a70b1e526e1a98591802dbe49ea30.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c set > C:\set.txt
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-132-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2704-133-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download