8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2023, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe
Size

7.0MB
MD5

53af4584857af9421c7609f89862c7b4
SHA1

fcd2d96169bf577cd731ddbc49175a09bec2994a
SHA256

8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2
SHA512

e717ea46a1566591953a863ec63db27f3b278e8927a2dfeb376f1526d31014e3bb29da69b9776625cfc97aa7918c0af7fe37c9f6eabd7d962e6c40ac2691523d
SSDEEP

98304:EB1r7uUpNCFemqgCA+scAPbtdO5cWZVJN1HZVCwW3aim/7rZJA:E7BsRqqtwNzFFZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3348	sshUSOShared-ver4.2.9.5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sshUSOShared-ver4.2.9.5 = "C:\\ProgramData\\sshUSOShared-ver4.2.9.5\\sshUSOShared-ver4.2.9.5.exe"	8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3348	2156	8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe	86
PID 2156 wrote to memory of 3348	2156	8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe	86

C:\Users\Admin\AppData\Local\Temp\8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe
"C:\Users\Admin\AppData\Local\Temp\8661713e7ce52256f55df380d2db8e2030c97712fb2dd7a4a5f86cf972202bb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\ProgramData\sshUSOShared-ver4.2.9.5\sshUSOShared-ver4.2.9.5.exe
  C:\ProgramData\sshUSOShared-ver4.2.9.5\sshUSOShared-ver4.2.9.5.exe
  2⤵
  - Executes dropped EXE
  PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sshUSOShared-ver4.2.9.5\sshUSOShared-ver4.2.9.5.exe

Filesize
757.0MB

MD5
b63b6398259454d309c2c906fd7520fd

SHA1
d173595030cc1b86857ddc6511b561aab50029e9

SHA256
23d33de6b7cb554e167da741a08f9ac1e713f9b9d21ed8193209430ea36161d7

SHA512
453f34593d6321c3407e154e65d18f051c1aa9f8b74306c21a1fcce3b23c66177fdb04615e91cbc055eb0ed539e48eab733cc88ff3e39d9554203b66ef039101

Download Submit
C:\ProgramData\sshUSOShared-ver4.2.9.5\sshUSOShared-ver4.2.9.5.exe

Filesize
757.0MB

MD5
b63b6398259454d309c2c906fd7520fd

SHA1
d173595030cc1b86857ddc6511b561aab50029e9

SHA256
23d33de6b7cb554e167da741a08f9ac1e713f9b9d21ed8193209430ea36161d7

SHA512
453f34593d6321c3407e154e65d18f051c1aa9f8b74306c21a1fcce3b23c66177fdb04615e91cbc055eb0ed539e48eab733cc88ff3e39d9554203b66ef039101

Download Submit
memory/2156-133-0x0000000140000000-0x0000000140704000-memory.dmp

Filesize
7.0MB

Download
memory/3348-141-0x0000000140000000-0x0000000140704000-memory.dmp

Filesize
7.0MB

Download