86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2023 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe
Size

4.7MB
MD5

7d70e8acd26698d151f8599b6a73f894
SHA1

fa06d8fd91129514114ec97b2b9c00056ecc12a1
SHA256

86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd
SHA512

ad772048fad3dd03f974a14dc94f6c6495cc4d60825aece7fb7fc0ace0eac7e8d903dc64e50f03fc6276956120041a23c0cbe3ebadc94ec8ddc8377a371f1ed8
SSDEEP

49152:wkqkNmWyrTM7i/es9VSdZhIyr+b6HKWJycsVrtrFtKql7TGv:tXUKkzFtKql7TI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4776	USOSharedDesktop-ver4.6.7.1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USOSharedDesktop-ver4.6.7.1 = "C:\\ProgramData\\USOSharedDesktop-ver4.6.7.1\\USOSharedDesktop-ver4.6.7.1.exe"	86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4776	4512	86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe	83
PID 4512 wrote to memory of 4776	4512	86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe	83

C:\Users\Admin\AppData\Local\Temp\86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe
"C:\Users\Admin\AppData\Local\Temp\86794dd032b5feee1572f47f300af73aa26ee6150fa96b432c72d1d2c87d5dfd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4512
- C:\ProgramData\USOSharedDesktop-ver4.6.7.1\USOSharedDesktop-ver4.6.7.1.exe
  C:\ProgramData\USOSharedDesktop-ver4.6.7.1\USOSharedDesktop-ver4.6.7.1.exe
  2⤵
  - Executes dropped EXE
  PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOSharedDesktop-ver4.6.7.1\USOSharedDesktop-ver4.6.7.1.exe

Filesize
754.7MB

MD5
f0ac84407349e1f3b7b6a68e41070323

SHA1
a317dc5d3b767bce40b86d590bae036d59a472e7

SHA256
ec752f67f3675d9306912338c0f61768f6c1a314429382c43c1808bd31c24809

SHA512
39e17b419235b3bf21d4edc34d37cea8050e4dab77888b5df6a2418b772500fe29360dbae881a09bbdf8ab369f4b0dde9f933b1f013a2be5641519346615994c

Download Submit
C:\ProgramData\USOSharedDesktop-ver4.6.7.1\USOSharedDesktop-ver4.6.7.1.exe

Filesize
754.7MB

MD5
f0ac84407349e1f3b7b6a68e41070323

SHA1
a317dc5d3b767bce40b86d590bae036d59a472e7

SHA256
ec752f67f3675d9306912338c0f61768f6c1a314429382c43c1808bd31c24809

SHA512
39e17b419235b3bf21d4edc34d37cea8050e4dab77888b5df6a2418b772500fe29360dbae881a09bbdf8ab369f4b0dde9f933b1f013a2be5641519346615994c

Download Submit