2465292038537dbec604a8a9190376d62c28d9ec2efe1726af2f9e6f4a3b0287

Analysis

max time kernel
147s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

371KB
MD5

7beb08458c549d96b4e8faf13d85291e
SHA1

022ce3a19e0ee90e802793df14e3269b5aadb6c0
SHA256

2465292038537dbec604a8a9190376d62c28d9ec2efe1726af2f9e6f4a3b0287
SHA512

6bf7833e0e9008fd274a89c8ad531213a1e7180103f33749282c921a1b9f36f8661483092deb4c2fddd65f2116b939c7c21038ecbfe2cfb1bdc78307e91a07d2
SSDEEP

6144:+1+LrUmN2pf1eHdUtqxhzIdOxtkTy+QzcZIINaBhhFA8SaDrDc4XpfnnnYki34P/:+5Cgqxhkcxt27QzUIvo8s2bSCi

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe	tmp.exe

Modifies registry class 7 IoCs

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID\{62007300-4D00-7900-4200-320067005A00}	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID\{62007300-4D00-7900-4200-320067005A00}\1 = "TQzAh1gWMgqB7Zn+2eF1OnLf4sjt8saCEXgtPkfnqpEqXVL7e2FWfIZqd6DvjHLBpsgMZOuY+JpJXfBdEatg/xvNiMAjn+P8uAqhNIyit488bt2VI3gjgSOEf9y7TfwCO8EID/dmYwSUcYr54nZ+6Kz6ktqk36heeNHbqzZdwFCVZb4ybR/vqf7rJ+vHAgi0v7N0wBwZ0+oR4jjYxo5p354uLGzN9jOTnANf1wyEIMITZpq8bhHiYQndmJa7gteZ9ss2R7z+Kyf0fE8T6iLh3jAnxXMJg/JTIQe1XPh9tpi8VTMt2Oed1ZabB+5Dqj6FvPm3OyanaPHJ29huYaxHYrw1TsUXVBia9lk7pSJ6JjXCkZu58v3GMBLqKx34HNr5j7MaOYA9yyXPEeIpDS9l8GRtZcnG1SYiEDA1/ErSdRIUXiljAGQ5NOCQb3T3i/Bjo3IO5GFmWx8jMz/03MWXoA=="	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID\{78004100-6D00-4B00-6A00-720046003200}	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID\{78004100-6D00-4B00-6A00-720046003200}\1 = "47KLggdnSyAXMhoSM1Bl+LAdVVvCen97Si7lVIvaQ6w+i7ANHFcuZzic1DdVzSllWXairWsgn5kMmR+f0v4dShSPfBiH4sm4b9BqNM6oxZWB+W0JNhGi1LqjjiQtJBMGlvo1fb6q9jNu+GLMe3YQRQs2L2uoELiaxj0E1ME1E0j/hahPatL+mgKXwhHACeXn"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID\{78004100-6D00-4B00-6A00-720046003200}\1 = "cY03Qpy/lV1XovN3/zoL5iPBf2fnA9BDWjheYyzTAx4Pu1bY7P/1Ls5Zpb5Nr6zA1dLyzc6og0ZFT+rXXVorBezDZ9+2q9d0TJSnt9mkYYGUNZJgUf4oih55lLcb30Ro1Ucy+Gyo0/8iGwMaojb0nOvA/WQn0H5926Vo3+Q63ogGuAIrBcqdIbQYzQ8gj+qG"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CID\{78004100-6D00-4B00-6A00-720046003200}\1 = "3zhVxSAZEMvdSkWiNEjcXHqPS2CldGFRUeibG9jcPtg1ryhS+Qam/qzNB8/UcHeHUK62iI/zY1DXNy5937UbcPr/pj3p1mgDqsYduZc7chKK+aA8VnWWNoBbDZjhWdP6NU4j+/rw+fu9v8uDiXMEHXPscf1F6sElvbECxqohy80Gct08NW+I/kTgI/rKjeaK"	tmp.exe

NTFS ADS 3 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp:{62007300-4D00-7900-4200-320067005A00}	tmp.exe
File created	C:\Users\Admin\AppData\Local\Temp:{78004100-6D00-4B00-6A00-720046003200}	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp:{78004100-6D00-4B00-6A00-720046003200}	tmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

868 tmp.exe
868 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 868 tmp.exe

pid	process
868	tmp.exe
868	tmp.exe

description	pid	process
Token: SeDebugPrivilege	868	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops startup file
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-133-0x0000000000B20000-0x0000000000B84000-memory.dmp

Filesize
400KB

Download
memory/868-134-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/868-135-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/868-136-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/868-142-0x0000000006570000-0x0000000006B14000-memory.dmp

Filesize
5.6MB

Download
memory/868-143-0x0000000006060000-0x00000000060F2000-memory.dmp

Filesize
584KB

Download
memory/868-144-0x00000000061D0000-0x000000000629E000-memory.dmp

Filesize
824KB

Download
memory/868-145-0x0000000007140000-0x0000000007758000-memory.dmp

Filesize
6.1MB

Download
memory/868-148-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download