79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe
Size

4.4MB
MD5

722c653a9ebc93cb1495cd1e7d0025a8
SHA1

7d1e59ec7723adc835730b497aaf8da70ca29a2e
SHA256

79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70
SHA512

ad8ff02585d30a2316d4c65a11f8ea44e3ef12cb311ec7e17dc3ccdb08806b754cf004a8a185e91ae094b851fe65bb15258c17ab71e4ce435297bbc5c43b3d95
SSDEEP

98304:Y46m3lOTN+F/VmxNhHQ849d15jLWdWyYC2yOMnIcDC:Y46lN+ZVmxNhk1FWjYVPMnId

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1252	regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8 = "C:\\ProgramData\\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8\\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3752 set thread context of 3688	3752	79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe	86

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3688	3752	79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe	86
PID 3752 wrote to memory of 3688	3752	79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe	86
PID 3752 wrote to memory of 3688	3752	79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe	86
PID 3752 wrote to memory of 3688	3752	79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe	86
PID 3752 wrote to memory of 3688	3752	79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe	86
PID 3688 wrote to memory of 1252	3688	AppLaunch.exe	94
PID 3688 wrote to memory of 1252	3688	AppLaunch.exe	94

C:\Users\Admin\AppData\Local\Temp\79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe
"C:\Users\Admin\AppData\Local\Temp\79d4f2be6bfed917dc0b722ae0244a4c75df9df16c2b06d0cfbc73afae3b0c70.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe
    "C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe"
    3⤵
    - Executes dropped EXE
    PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe

Filesize
479.3MB

MD5
1b4f26a04a84d3204975ea770b055d28

SHA1
dd6706311877ee534be3c169cde6cfc96ee595a1

SHA256
d5d4f0f00b3bb5b026a04b11b4364fb4414cad310c6b31dc2c9fc219684a8887

SHA512
6fc496a3754f84bc968b06b56ddd93c579b945e3973f4d4d3de53e8f2c3f021156b9c01ef8c09343d463c0e07ceef27a391ea189855ca54ab347cb39d2fdbf85

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe

Filesize
423.2MB

MD5
f8085b050a6b987fe18ddd841f5b57d9

SHA1
e5da7081e2734b53398c443393efed7acb8ff2b1

SHA256
ff26ac6bb4446243c1e8c8923eaed20beb0e0f2ff501119a1d954672923f9a02

SHA512
b1fece3c3718d1b3d62868e059dc14f4e51220f8fbf5459a12b9f82371f66e7b534342cf9f3668f6985bd7feec787b00a8330994e9bad35edd74a5f1e6dc377e

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-Type0.1.9.8.exe

Filesize
502.7MB

MD5
a6c5a043454e685e259094bcd81320a6

SHA1
1f46c650b2834d0db4a3b830125914b626993198

SHA256
310b3fc6988e9c798759afe918b7e24b5b876e758404d519287cf00505045483

SHA512
73bd75642447c6a21caff83b6cea514ad978c9cdd56dc358c117ed7ae9e764712334082fbebffc151de14394c5da2bdebc1be98b0262239a941482936bfba574

Download Submit
memory/3688-134-0x0000000000700000-0x0000000000B5C000-memory.dmp

Filesize
4.4MB

Download
memory/3688-139-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/3688-140-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/3688-141-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3688-142-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/3688-143-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3688-144-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3688-145-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download