a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f

Analysis

max time kernel
56s
max time network
180s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/04/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe
Size

4.4MB
MD5

017009c0e055456001a4411dbdb11474
SHA1

aed96c3465010c1cf9f2b9c99457b7f472bd425d
SHA256

a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f
SHA512

fc084b7a5deaa936e752f8f0d411be7340c2c7b8c3e448ea1d589ca2394bd8a85cce763a8f2d84cf0ac7df6e765953f75b1c5c481c04f1367fd833bf68cbb4e8
SSDEEP

98304:auKHPSR+b8W/7gMYBE0ihf7WtNh2GexQWmGL7Vgr5FxlFiEGVhsMU:hKvSR2/7gM4E0GfStL25xQWx7KzPAm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	DesktopDesktop-version9.1.3.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopDesktop-version9.1.3.0 = "C:\\ProgramData\\DesktopDesktop-version9.1.3.0\\DesktopDesktop-version9.1.3.0.exe"	a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4604	a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe
4604	a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe
2788	DesktopDesktop-version9.1.3.0.exe
2788	DesktopDesktop-version9.1.3.0.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2788	4604	a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe	66
PID 4604 wrote to memory of 2788	4604	a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe	66

C:\Users\Admin\AppData\Local\Temp\a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe
"C:\Users\Admin\AppData\Local\Temp\a0a041f2a20593acc4889e67414a0197c5bf2da18c3289e73fdcfbeb8fb5a35f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604
- C:\ProgramData\DesktopDesktop-version9.1.3.0\DesktopDesktop-version9.1.3.0.exe
  C:\ProgramData\DesktopDesktop-version9.1.3.0\DesktopDesktop-version9.1.3.0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopDesktop-version9.1.3.0\DesktopDesktop-version9.1.3.0.exe

Filesize
1176.3MB

MD5
1d8cd504de90b47621068150403dc9d9

SHA1
6f3936bb426bd4e9855c8863f734b01070464360

SHA256
b97ab752e9eac94fb4493d70b9dca43fd2c170a6892a6f8239695001224f0c0c

SHA512
b5713719841ad9021c967d7b4ff6b02705e6616c2ab317a0621035d9bb60fc91cb803fe426921aa0263e5bc0e733d6ccb4d606743a20bcc34602c440438efacc

Download Submit
C:\ProgramData\DesktopDesktop-version9.1.3.0\DesktopDesktop-version9.1.3.0.exe

Filesize
1176.3MB

MD5
1d8cd504de90b47621068150403dc9d9

SHA1
6f3936bb426bd4e9855c8863f734b01070464360

SHA256
b97ab752e9eac94fb4493d70b9dca43fd2c170a6892a6f8239695001224f0c0c

SHA512
b5713719841ad9021c967d7b4ff6b02705e6616c2ab317a0621035d9bb60fc91cb803fe426921aa0263e5bc0e733d6ccb4d606743a20bcc34602c440438efacc

Download Submit
memory/2788-128-0x00007FFFC4910000-0x00007FFFC4912000-memory.dmp

Filesize
8KB

Download
memory/2788-129-0x00007FF78EEF0000-0x00007FF78F85D000-memory.dmp

Filesize
9.4MB

Download
memory/4604-119-0x00007FFFC4910000-0x00007FFFC4912000-memory.dmp

Filesize
8KB

Download
memory/4604-120-0x00007FF7DD6F0000-0x00007FF7DE05D000-memory.dmp

Filesize
9.4MB

Download