ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6

Analysis

max time kernel
128s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe
Size

4.4MB
MD5

14818b3e36777c8720774fa0f379b91d
SHA1

2025e5bf2f39d4c50af472be033c20922568a11c
SHA256

ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6
SHA512

413b6293f0cac52b2496604f30ace19600d730e3ec45f9d4c898ad89e78ed9be37a8c18188242b34f1d0cf3e779a09fdffd60c925e52ac4eaadeafaaa2f05758
SSDEEP

98304:b46m3lOTN+F/VmxNhHQ849d15jLWdWyYC2yOMnIcDC:b46lN+ZVmxNhk1FWjYVPMnId

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4636	regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2 = "C:\\ProgramData\\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2\\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3768 set thread context of 4788	3768	ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe	90

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4788	3768	ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe	90
PID 3768 wrote to memory of 4788	3768	ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe	90
PID 3768 wrote to memory of 4788	3768	ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe	90
PID 3768 wrote to memory of 4788	3768	ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe	90
PID 3768 wrote to memory of 4788	3768	ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe	90
PID 4788 wrote to memory of 4636	4788	AppLaunch.exe	105
PID 4788 wrote to memory of 4636	4788	AppLaunch.exe	105

C:\Users\Admin\AppData\Local\Temp\ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe
"C:\Users\Admin\AppData\Local\Temp\ef62a9245b503fd759e9d4c6f4edd3be1cc3cde1353373c1a3383244a8e883b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe
    "C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe"
    3⤵
    - Executes dropped EXE
    PID:4636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe

Filesize
541.6MB

MD5
2722607cc1a677d4a067929e9bb553c1

SHA1
8fc1401217c472505604bb6f8621589922491e32

SHA256
8308090c8e01852801b708fec6ccddcc7548634597444fe88afadb54757ee601

SHA512
6408ed82b26a369086b1b1e3c9d3fbb946528118df77a4a2a7f750c03b5db1dd57da8b54839c830838cba4198e92b09bc8570ea3e0f8e65d57b6fe102f4ca719

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe

Filesize
522.0MB

MD5
cc2d2687d8a076c1c7ce84ca5038d570

SHA1
e4dcab4a6ee5f393f40e12e807f19684eb010fb7

SHA256
b092c6050248cbffb9f6ad92b873fdd7e3895c7432cd03d206b7ffa6376f7274

SHA512
b490711d956c2b3313e9817a26d1153d289daf1f0ae7c0ec4b17dd7679cb738367e357a087017cfb84b48375b09dd5d0912f84af46f0feeeb6f5738e124dd215

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2\regid.1991-06.com.microsoftSoftwareDistribution-Type8.2.0.2.exe

Filesize
457.0MB

MD5
647729ea9a882c105026b5d10c98db25

SHA1
26da3befa3f852b634cc27cf4378f3c8627a0a89

SHA256
74096bf41577a230a44fcbdcbcf3296c40fc6fb3e4aa642a2c6f7d30d5b76df0

SHA512
754210dbdbed39465114015bbdb8558736036e72f6aa27b03aff11b313148e50147166b77d0458d225b8e6b482977017f5278d7ca867cd21e456934a4dec0942

Download Submit
memory/4788-134-0x0000000000D30000-0x000000000118C000-memory.dmp

Filesize
4.4MB

Download
memory/4788-139-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/4788-140-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/4788-141-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/4788-142-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4788-143-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4788-144-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4788-145-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download