bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2023, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe
Size

7.2MB
MD5

69b7bc559a9f3509bcd1b909210ff235
SHA1

f259750c7f22d74242c906c62dd67e366bae6db0
SHA256

bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938
SHA512

ef5d2231795b78db5e4a3930411d3ac8af24011af74fad11c3b67d362e8b50996890c9f1389798c5f7a0a260f108f0732e2eb61ae4c71a1ec65e5cecd366326c
SSDEEP

98304:BEtyGbTnISAZKiuZcR2AA7Uj5z6i8oYd4r5oJ8Vj1E6+LWvxerrI:BElbyQxZoI4yJ8Vj1EKvM

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4732	regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0 = "C:\\ProgramData\\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0\\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0.exe"	bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4732	4832	bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe	81
PID 4832 wrote to memory of 4732	4832	bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe	81

C:\Users\Admin\AppData\Local\Temp\bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe
"C:\Users\Admin\AppData\Local\Temp\bd983d664de646626b8b2206d60852b18309fa375299fbf2b4d39bcbaf8e5938.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832
- C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0.exe
  C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0.exe
  2⤵
  - Executes dropped EXE
  PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0.exe

Filesize
757.2MB

MD5
fd67981d1d776488c393d7c19886dde3

SHA1
f35e742696f5c75a4931b1fcf7b67913017b2442

SHA256
0e9992cffbf2d3a893dbf9215d4bbecdc84437b178a0a3d21343d789315c7bb1

SHA512
1d331d4fbba0ca7c09bb860b36d2a865d388ebed4e50bc28304d55c741755345c258c30a6486958004298cc50403bec1b70690747013bbb319f34e561dbf0e91

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0\regid.1991-06.com.microsoftMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-OB2R8.6.9.0.exe

Filesize
757.2MB

MD5
fd67981d1d776488c393d7c19886dde3

SHA1
f35e742696f5c75a4931b1fcf7b67913017b2442

SHA256
0e9992cffbf2d3a893dbf9215d4bbecdc84437b178a0a3d21343d789315c7bb1

SHA512
1d331d4fbba0ca7c09bb860b36d2a865d388ebed4e50bc28304d55c741755345c258c30a6486958004298cc50403bec1b70690747013bbb319f34e561dbf0e91

Download Submit
memory/4732-138-0x00007FF6D9650000-0x00007FF6D9D7C000-memory.dmp

Filesize
7.2MB

Download
memory/4832-133-0x00007FF66B280000-0x00007FF66B9AC000-memory.dmp

Filesize
7.2MB

Download