7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465

Analysis

max time kernel
65s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe
Size

7.0MB
MD5

6b9b15f41fd55c066786c81d74c04d99
SHA1

a531a5a4717bf170f06d0ff671e4638594ce04a3
SHA256

7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465
SHA512

9a0a28d34e89d6113812fe8d4133de9eef7b34311fe8523e85f9fe334cb8b02c4e8d8f562e0951d1ec6ba61d1148903b054de60ae3ce60601e1540ef66ae3005
SSDEEP

98304:GQJsvv8a6OlIoFCQRVLVNpPqx8rQ/+4oWSLcqPUzAspHU33sL5Kd2QW+9:A8ZYLILsjgtUnsLo4g9

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3752	DocumentsTemplates-CR0Q5.5.5.9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DocumentsTemplates-CR0Q5.5.5.9 = "C:\\ProgramData\\DocumentsTemplates-CR0Q5.5.5.9\\DocumentsTemplates-CR0Q5.5.5.9.exe"	7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3752	4364	7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe	83
PID 4364 wrote to memory of 3752	4364	7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe	83

C:\Users\Admin\AppData\Local\Temp\7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe
"C:\Users\Admin\AppData\Local\Temp\7e6750c73264d1a1f8b6e256431502801877eb33c9aa7274938630d8572d5465.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4364
- C:\ProgramData\DocumentsTemplates-CR0Q5.5.5.9\DocumentsTemplates-CR0Q5.5.5.9.exe
  C:\ProgramData\DocumentsTemplates-CR0Q5.5.5.9\DocumentsTemplates-CR0Q5.5.5.9.exe
  2⤵
  - Executes dropped EXE
  PID:3752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DocumentsTemplates-CR0Q5.5.5.9\DocumentsTemplates-CR0Q5.5.5.9.exe

Filesize
757.0MB

MD5
7985eab6d994c9c4da4c0fc6dfa617bd

SHA1
466744398284ff4729c678a1a8e72639e02081b9

SHA256
3d1367dbab16c6f53ed7e6c6602df2944485bd30104a88cb041dd9bf4ce11e1c

SHA512
63a6cba47d379eaba644860ad0737ed1bab4d724859cc5c7ee0cf9094ab0804226838386b3e448cb6018ceda38fa0e8e2eb71aadaca4ba6b7504836627e7838c

Download Submit
C:\ProgramData\DocumentsTemplates-CR0Q5.5.5.9\DocumentsTemplates-CR0Q5.5.5.9.exe

Filesize
757.0MB

MD5
7985eab6d994c9c4da4c0fc6dfa617bd

SHA1
466744398284ff4729c678a1a8e72639e02081b9

SHA256
3d1367dbab16c6f53ed7e6c6602df2944485bd30104a88cb041dd9bf4ce11e1c

SHA512
63a6cba47d379eaba644860ad0737ed1bab4d724859cc5c7ee0cf9094ab0804226838386b3e448cb6018ceda38fa0e8e2eb71aadaca4ba6b7504836627e7838c

Download Submit
memory/3752-138-0x00007FF6A2F00000-0x00007FF6A35FE000-memory.dmp

Filesize
7.0MB

Download
memory/4364-133-0x00007FF7F69C0000-0x00007FF7F70BE000-memory.dmp

Filesize
7.0MB

Download