536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2

Analysis

max time kernel
43s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/05/2023, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe
Size

5.7MB
MD5

2485591d47bfedf2365f9ee7af039507
SHA1

39f456ffd2899242e138f50bf5923c1c03f62175
SHA256

536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2
SHA512

8edbc2267cf954f11216d2db5dd6fae22cd9446761a77b4fdb8018e9100105de792e266c6d4e1f50d5380e886ecc03b8f49a2f805cfba1857114fccedff80d4c
SSDEEP

49152:p6FqzpvjNKDD/IpOrBOJjHDXUEViCaT0SrO59onL+KFoVGPAz7+Ad/iSp7Baq7i:p7ZYU75AEzzzSq3Rm0aUtm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1420	TemplatesMicrosoft-ver9.8.6.4.exe

Loads dropped DLL 1 IoCs

pid	Process
908	536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run	536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\TemplatesMicrosoft-ver9.8.6.4 = "C:\\ProgramData\\TemplatesMicrosoft-ver9.8.6.4\\TemplatesMicrosoft-ver9.8.6.4.exe"	536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1420	908	536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe	28
PID 908 wrote to memory of 1420	908	536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe	28
PID 908 wrote to memory of 1420	908	536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe	28

C:\Users\Admin\AppData\Local\Temp\536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe
"C:\Users\Admin\AppData\Local\Temp\536487a1120c0c54ccfed469266f1ae2a3edf1f546ee547f93842a7e9fddcae2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908
- C:\ProgramData\TemplatesMicrosoft-ver9.8.6.4\TemplatesMicrosoft-ver9.8.6.4.exe
  C:\ProgramData\TemplatesMicrosoft-ver9.8.6.4\TemplatesMicrosoft-ver9.8.6.4.exe
  2⤵
  - Executes dropped EXE
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesMicrosoft-ver9.8.6.4\TemplatesMicrosoft-ver9.8.6.4.exe

Filesize
1236.2MB

MD5
6794606499c39074551f165627afb01f

SHA1
b4ebeb0b5850df2e89595062ffd8b00317b013c3

SHA256
375a4ff7b14b01029cb495e1651480a9d21f5cc9eeeb2b1e44c07e5d10a342a6

SHA512
d0bfee836f512c7ff4bcf39fb35ce26ba21ced12f291496292edaa57663841fcc6ffa6d0e31241d6cb20ba75343360b4385e9c38e5bd62723224ba19c96e45f1

Download Submit
\ProgramData\TemplatesMicrosoft-ver9.8.6.4\TemplatesMicrosoft-ver9.8.6.4.exe

Filesize
1236.2MB

MD5
6794606499c39074551f165627afb01f

SHA1
b4ebeb0b5850df2e89595062ffd8b00317b013c3

SHA256
375a4ff7b14b01029cb495e1651480a9d21f5cc9eeeb2b1e44c07e5d10a342a6

SHA512
d0bfee836f512c7ff4bcf39fb35ce26ba21ced12f291496292edaa57663841fcc6ffa6d0e31241d6cb20ba75343360b4385e9c38e5bd62723224ba19c96e45f1

Download Submit