a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379

Analysis

max time kernel
402s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe
Size

3.8MB
MD5

4873e1142fdd3d0a82e6b1a55f4b6aec
SHA1

6d487e39d62648e8b7b5d74ebcd1da8b9190a0cc
SHA256

a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379
SHA512

f70f62cb5945599b8cfba8fa876bb96f787575d18d816009b77e28b68f5e3dfd97843261df545363e9ee4a814dd3fef3dcda33871e7357a0daa0f83cef9afec9
SSDEEP

98304:4j/78ORh8OHoB/mW0oLH5FepMBfZoKM2seMw3R2e:4ToORvoxN0ozUMBeKM2seM+ke

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe
1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe
1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4320	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	82
PID 1088 wrote to memory of 4320	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	82
PID 1088 wrote to memory of 4320	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	82
PID 1088 wrote to memory of 3556	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	83
PID 1088 wrote to memory of 3556	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	83
PID 1088 wrote to memory of 3556	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	83
PID 1088 wrote to memory of 2188	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	85
PID 1088 wrote to memory of 2188	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	85
PID 1088 wrote to memory of 2188	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	85
PID 1088 wrote to memory of 4940	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	87
PID 1088 wrote to memory of 4940	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	87
PID 1088 wrote to memory of 4940	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	87
PID 1088 wrote to memory of 2720	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	91
PID 1088 wrote to memory of 2720	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	91
PID 1088 wrote to memory of 2720	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	91
PID 1088 wrote to memory of 5032	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	90
PID 1088 wrote to memory of 5032	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	90
PID 1088 wrote to memory of 5032	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	90
PID 1088 wrote to memory of 3344	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	93
PID 1088 wrote to memory of 3344	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	93
PID 1088 wrote to memory of 3344	1088	a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe	93
PID 3556 wrote to memory of 4048	3556	net.exe	96
PID 3556 wrote to memory of 4048	3556	net.exe	96
PID 3556 wrote to memory of 4048	3556	net.exe	96
PID 4320 wrote to memory of 3936	4320	net.exe	97
PID 4320 wrote to memory of 3936	4320	net.exe	97
PID 4320 wrote to memory of 3936	4320	net.exe	97
PID 2188 wrote to memory of 2468	2188	cmd.exe	98
PID 2188 wrote to memory of 2468	2188	cmd.exe	98
PID 2188 wrote to memory of 2468	2188	cmd.exe	98
PID 2468 wrote to memory of 2852	2468	net.exe	99
PID 2468 wrote to memory of 2852	2468	net.exe	99
PID 2468 wrote to memory of 2852	2468	net.exe	99
PID 4940 wrote to memory of 1804	4940	cmd.exe	100
PID 4940 wrote to memory of 1804	4940	cmd.exe	100
PID 4940 wrote to memory of 1804	4940	cmd.exe	100
PID 5032 wrote to memory of 3136	5032	cmd.exe	101
PID 5032 wrote to memory of 3136	5032	cmd.exe	101
PID 5032 wrote to memory of 3136	5032	cmd.exe	101
PID 1804 wrote to memory of 5116	1804	net.exe	102
PID 1804 wrote to memory of 5116	1804	net.exe	102
PID 1804 wrote to memory of 5116	1804	net.exe	102
PID 3344 wrote to memory of 1920	3344	cmd.exe	103
PID 3344 wrote to memory of 1920	3344	cmd.exe	103
PID 3344 wrote to memory of 1920	3344	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe
"C:\Users\Admin\AppData\Local\Temp\a0f34541b754693065ed2347b0f1f2ad33a815ebf7661dee0f50ed7edc5ec379.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\net.exe
  net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    PID:3936
- C:\Windows\SysWOW64\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\net.exe
    net stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:3136
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads