86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a

Analysis

max time kernel
51s
max time network
175s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22-04-2023 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
Size

10.7MB
MD5

d86d346a0bd4d60c92fdd04622df0039
SHA1

e92a214aea1f54c86bb1f83e5662464e869f8fbd
SHA256

86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a
SHA512

9074c4a59681a1245f4d5a4e91bfd6b72ed7424f1b165680da52f56af57ccf159c36f1699d70f00095d4f8f72ba26aa89d3118d26c05a73f02524bb4e6b21bb8
SSDEEP

196608:9Ir3uCOs8gRP7ICyWPs/SeLTW+JR9LJJfNQmxr0zTIN:IeMdZ0nS2W+JndQmSA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3860	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7 = "C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe"	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4448	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
4448	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
3860	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe
3860	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4448	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
4448	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
3860	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe
3860	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3860	4448	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe	66
PID 4448 wrote to memory of 3860	4448	86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe	66

C:\Users\Admin\AppData\Local\Temp\86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe
"C:\Users\Admin\AppData\Local\Temp\86b570846faed2cc902442b8ae10048e1e18e7c77e9967e594f86f8b4ba7139a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448
- C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe
  C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe

Filesize
1285.1MB

MD5
3b3792daff39e17c63ecb4105d8b094a

SHA1
96a2bce64f00e790646e815677152e20e06cd2c1

SHA256
0e1d07fe29aeb754ec07e2cc8bec453648c545e926a317e3c27739e94b66f046

SHA512
6f50b93b00ee01d3de5c8114c1fc9728f1d8763487d2f3712529f8acec644141e113460d71b94893edfeb9859a738059afd874d2373bc6675e4c7c68ea19e2c6

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-version9.9.8.7.exe

Filesize
1285.1MB

MD5
3b3792daff39e17c63ecb4105d8b094a

SHA1
96a2bce64f00e790646e815677152e20e06cd2c1

SHA256
0e1d07fe29aeb754ec07e2cc8bec453648c545e926a317e3c27739e94b66f046

SHA512
6f50b93b00ee01d3de5c8114c1fc9728f1d8763487d2f3712529f8acec644141e113460d71b94893edfeb9859a738059afd874d2373bc6675e4c7c68ea19e2c6

Download Submit
memory/3860-130-0x0000000140000000-0x0000000141360000-memory.dmp

Filesize
19.4MB

Download
memory/4448-120-0x00007FFB8BEC0000-0x00007FFB8BEC2000-memory.dmp

Filesize
8KB

Download
memory/4448-121-0x0000000140000000-0x0000000141360000-memory.dmp

Filesize
19.4MB

Download