16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c

Analysis

max time kernel
63s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe
Size

4.7MB
MD5

a7225c3f11926a092f608589ba676abc
SHA1

240927f26d35292d922c710fd5bf6b7aa996ae87
SHA256

16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c
SHA512

900942a62b31afbe67d9840a9ef9875a80b47584808a0167727f050f2663232c386cc59450eec1a68c78b6d937dc5b2d23c5fe0662f5119d26845664416a452d
SSDEEP

49152:wb6aSECYBfkW7tComPsW5p6lAjw7iqnVlSivrh/+TM+Fp:jA4D+/+TM+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4872	PackagesDocuments-ver3.9.0.2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PackagesDocuments-ver3.9.0.2 = "C:\\ProgramData\\PackagesDocuments-ver3.9.0.2\\PackagesDocuments-ver3.9.0.2.exe"	16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4872	5012	16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe	80
PID 5012 wrote to memory of 4872	5012	16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe	80

C:\Users\Admin\AppData\Local\Temp\16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe
"C:\Users\Admin\AppData\Local\Temp\16e9b64b307462509c376b411c4dccb644f48d630fd0773d28e988cc8bf3378c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012
- C:\ProgramData\PackagesDocuments-ver3.9.0.2\PackagesDocuments-ver3.9.0.2.exe
  C:\ProgramData\PackagesDocuments-ver3.9.0.2\PackagesDocuments-ver3.9.0.2.exe
  2⤵
  - Executes dropped EXE
  PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PackagesDocuments-ver3.9.0.2\PackagesDocuments-ver3.9.0.2.exe

Filesize
157.6MB

MD5
eb1a502ae0d6e343556a7b70911c2991

SHA1
a2ee8f59de89b2e891f99d87cda55c2036a4bb17

SHA256
b69d66961f567274395375f4301d4f36d4d726cbbd580cf0af8ebfbd1e5ae17e

SHA512
5f008ba02a5141ae44021661ac37972730c21284869ead6bb68380542baddb6c800e5ba4da3507a300deeb3e69a3159f7bb1e702b2d6c9e40fdcef805e927736

Download Submit
C:\ProgramData\PackagesDocuments-ver3.9.0.2\PackagesDocuments-ver3.9.0.2.exe

Filesize
159.1MB

MD5
79ad50e15c017af6011f5101abce6a05

SHA1
4d3c1829462d6d5e6d36630cf98b0b24a01431bb

SHA256
4b8dc91998736147c212d51255fc40be4657a0d0d20a14a6338e634922a26932

SHA512
f19346db5c1cffcfc8d396557bf354db02a8626cbdf42e49ded521ac5c572cb7b1793de73c5f735dfb641cf63831296db2b057cc61ba62b2baff4bcb684c6424

Download Submit