346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 13:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe
Size

4.7MB
MD5

2bec9283d63299c1dc3262538220944a
SHA1

0614c48456705b3cfeccfb52d2642727a3542d79
SHA256

346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493
SHA512

f16e5eb147e999b8a8486258acc41ee253531e3ea8b35d71c6606039cc0aa9cb98ea281843b47999c7ee8cb5e84cf6c1ee5f78b9ebe402f0d04103823bb19742
SSDEEP

49152:0U1d5nEXFwxryRrseyQxkrcC3WynVPpcrzMAH0kWE/2nUpauiGY+zf9s0:2ZJZdDfUbY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4700	MicrosoftMicrosoft-ver2.0.2.6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftMicrosoft-ver2.0.2.6 = "C:\\ProgramData\\MicrosoftMicrosoft-ver2.0.2.6\\MicrosoftMicrosoft-ver2.0.2.6.exe"	346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4700	4388	346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe	83
PID 4388 wrote to memory of 4700	4388	346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe	83

C:\Users\Admin\AppData\Local\Temp\346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe
"C:\Users\Admin\AppData\Local\Temp\346e161a15909619478aca846911c9ddbe6cf00cd1cc476efdf6db46c9d5f493.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388
- C:\ProgramData\MicrosoftMicrosoft-ver2.0.2.6\MicrosoftMicrosoft-ver2.0.2.6.exe
  C:\ProgramData\MicrosoftMicrosoft-ver2.0.2.6\MicrosoftMicrosoft-ver2.0.2.6.exe
  2⤵
  - Executes dropped EXE
  PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftMicrosoft-ver2.0.2.6\MicrosoftMicrosoft-ver2.0.2.6.exe

Filesize
7.3MB

MD5
8103e1fe2a4c0189f4605b2562b6952b

SHA1
1adccd58b1e1bb868f6660e46063adabcbfd5251

SHA256
4de4e341e0a941ad82ced5346a30913a82df427c620ef856ac9f7fe1393b7cf9

SHA512
6491a143408c415bb772a3052b9e6683ef4b6113262c500c5f899be39f5bde9399aca67f6fc7b16599d3582a1682dd8d68a578465ea89d742ec0aea59644c2a4

Download Submit
C:\ProgramData\MicrosoftMicrosoft-ver2.0.2.6\MicrosoftMicrosoft-ver2.0.2.6.exe

Filesize
6.8MB

MD5
6e8960c347a8e92441be87f57017db4e

SHA1
2fe2c6ecccab27f17f08476443e6c8a7af014e37

SHA256
ecf91206cf33edf383a20ad52479962420ac082ddff3e29d590756a419aaed89

SHA512
99fdcc195c0c7ff464240e8ce1659c94c4f48b2b8c8f352eed1519f5662ea9f424a1c33785df2a90b2d412096f39b3ee48441fbff725ebeb79aecfa8ed980f7b

Download Submit