19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169

Analysis

max time kernel
40s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe
Size

4.7MB
MD5

2623b2d34b0dd5a3f2e4966fc8a02357
SHA1

0a771728006e61308840747fb1de9f0453a5cbb3
SHA256

19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169
SHA512

3e70d9044a1795f432c6a86f59d3e128c4482e3465fe7b1a5ca93c4aa11198271d446e4f70ee4fdbdc27986f38ea86f20ae573384f3991d34fca97c6abc72856
SSDEEP

49152:6G6/2U4wSvwyLr40GK3BScph1gWJpq/kRfqS56kWp1cflUnCkrnmOqK:gm7ffzMklxkLmOq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
924	TemplatesFavorites-ver8.6.0.2.exe

Loads dropped DLL 1 IoCs

pid	Process
2024	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\TemplatesFavorites-ver8.6.0.2 = "C:\\ProgramData\\TemplatesFavorites-ver8.6.0.2\\TemplatesFavorites-ver8.6.0.2.exe"	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 924	2024	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe	27
PID 2024 wrote to memory of 924	2024	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe	27
PID 2024 wrote to memory of 924	2024	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe	27

C:\Users\Admin\AppData\Local\Temp\19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe
"C:\Users\Admin\AppData\Local\Temp\19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\ProgramData\TemplatesFavorites-ver8.6.0.2\TemplatesFavorites-ver8.6.0.2.exe
  C:\ProgramData\TemplatesFavorites-ver8.6.0.2\TemplatesFavorites-ver8.6.0.2.exe
  2⤵
  - Executes dropped EXE
  PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesFavorites-ver8.6.0.2\TemplatesFavorites-ver8.6.0.2.exe

Filesize
558.1MB

MD5
52c0051c5cac9f1857356ea10cc61576

SHA1
7f2ed0621bb603eef24ee0305838fac4dbe361cc

SHA256
6cbf5afd6522ad64576583205f50b6353c133fe653913c2c84a0ace8822452a7

SHA512
438a712c620b5c847a2b7e8e190b7de81955531627c5ea0eacd6e7d4c326ebd01057e5da84d71cacfe4d601913509bf6c32b29dbca62d5cd77581cfc94b05fdd

Download Submit
\ProgramData\TemplatesFavorites-ver8.6.0.2\TemplatesFavorites-ver8.6.0.2.exe

Filesize
475.6MB

MD5
d044d38c6d3ce071eb7c9c40340693ce

SHA1
7a19c0ed263e281b3bb2aa602bbffaa1c98ba57c

SHA256
5184e4de6255002573e675fafb5a22d2a0c443021677542221e087f6d9d884a9

SHA512
199f2d552aad604fe65cf81437d798ea7c8b3c8b2e6b248bd190c73286c4a38011195f5355703595dfac1e3bc1b8d4c3f751a695180a278435389a0508395173

Download Submit