f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2023, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe
Size

7.1MB
MD5

f0b62ae5805c0231ba85e9b6e46202a8
SHA1

f87fb348da105b56366ffde3dc66a5643bd5e53d
SHA256

f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765
SHA512

edd5f48b9be4a60987da4fc3ce2c6384327a54bf222344e92b9e682458ab3b5d400e62eedd7a5313110f71231a1acb0e31031fb1a44d664d9bee07fa6b205a60
SSDEEP

98304:nCUrQTT+Aq3ku0P1fGRxTZqzdQ2F6a7AmpJmeYTa3x5+oKA/M:nC9XLzPeFOAmpweOa3x5+oJ/M

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2460	DesktopSoftwareDistribution-ROMF91.4.0.1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DesktopSoftwareDistribution-ROMF91.4.0.1 = "C:\\ProgramData\\DesktopSoftwareDistribution-ROMF91.4.0.1\\DesktopSoftwareDistribution-ROMF91.4.0.1.exe"	f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2460	632	f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe	84
PID 632 wrote to memory of 2460	632	f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe	84

C:\Users\Admin\AppData\Local\Temp\f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe
"C:\Users\Admin\AppData\Local\Temp\f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632
- C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe
  C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe
  2⤵
  - Executes dropped EXE
  PID:2460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe

Filesize
757.1MB

MD5
12c4542b8df229f8aa2ebaeaadd38266

SHA1
fdad30e1d2a34379be6da931e1f9e404017c5562

SHA256
64b546b3f4e245b7a09e4341df3a3a1a3faeddb50b93ef3a00d317a9ca04b2f1

SHA512
e37cc6b0e5318d15b8ffacc54696d63b97c7f16a1426573e2be0232d37182633f0cd2880381e69ba089f7d9e738ce3784730ff55d9ffdd1f4c02dbf16a999aa4

Download Submit
C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe

Filesize
757.1MB

MD5
12c4542b8df229f8aa2ebaeaadd38266

SHA1
fdad30e1d2a34379be6da931e1f9e404017c5562

SHA256
64b546b3f4e245b7a09e4341df3a3a1a3faeddb50b93ef3a00d317a9ca04b2f1

SHA512
e37cc6b0e5318d15b8ffacc54696d63b97c7f16a1426573e2be0232d37182633f0cd2880381e69ba089f7d9e738ce3784730ff55d9ffdd1f4c02dbf16a999aa4

Download Submit
memory/632-133-0x00007FF7FDC20000-0x00007FF7FE336000-memory.dmp

Filesize
7.1MB

Download
memory/2460-138-0x00007FF775380000-0x00007FF775A96000-memory.dmp

Filesize
7.1MB

Download