01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998

Analysis

max time kernel
56s
max time network
183s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/05/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe
Size

7.0MB
MD5

2b155b1b5e89dbf166de6f0fb711f483
SHA1

bd171f456aab55ec71ab25625fed254d50b1a7c5
SHA256

01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998
SHA512

f1f73a2d64cf7db22b025d3212272bb1ca20a574a701e1f691651aa5e9eaefa4cf7de3283bdcd8c32ef3e8992f81fc4eada7d6cf375502be8c990f63cfe60f1b
SSDEEP

98304:wCb6nBLsClsfnUZB7klrb9Tj9k8t0sh3PHpgII67W4RrYvgzcbyzIMxBxNRhKG8:yL3MUZ6bPk8BfHpU6C+6bQNPh98

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	DesktopTemplates-C0IHW7.7.0.8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopTemplates-C0IHW7.7.0.8 = "C:\\ProgramData\\DesktopTemplates-C0IHW7.7.0.8\\DesktopTemplates-C0IHW7.7.0.8.exe"	01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2484	2392	01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe	66
PID 2392 wrote to memory of 2484	2392	01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe	66

C:\Users\Admin\AppData\Local\Temp\01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe
"C:\Users\Admin\AppData\Local\Temp\01d1e87d81b1720e3c854681edcbf7c8dbef27310baaa931f81a400c7eed2998.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392
- C:\ProgramData\DesktopTemplates-C0IHW7.7.0.8\DesktopTemplates-C0IHW7.7.0.8.exe
  C:\ProgramData\DesktopTemplates-C0IHW7.7.0.8\DesktopTemplates-C0IHW7.7.0.8.exe
  2⤵
  - Executes dropped EXE
  PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopTemplates-C0IHW7.7.0.8\DesktopTemplates-C0IHW7.7.0.8.exe

Filesize
757.0MB

MD5
1272623ea225570cbe152fdc637a62e3

SHA1
00bea43bff42ca1768ad506c0f24348b12947498

SHA256
7242e63a55abe5cd267c0ac248d9c686022277118219c10f86767bf9f55a07c7

SHA512
4d8fbe1f984626f60312da129cd6f5c63dda1561aac13ae6ba6238d1606d15667b17e27735762a8fe2d8ba716ca9f8026704a63cf81b0d93a0d45e55d184624d

Download Submit
C:\ProgramData\DesktopTemplates-C0IHW7.7.0.8\DesktopTemplates-C0IHW7.7.0.8.exe

Filesize
757.0MB

MD5
1272623ea225570cbe152fdc637a62e3

SHA1
00bea43bff42ca1768ad506c0f24348b12947498

SHA256
7242e63a55abe5cd267c0ac248d9c686022277118219c10f86767bf9f55a07c7

SHA512
4d8fbe1f984626f60312da129cd6f5c63dda1561aac13ae6ba6238d1606d15667b17e27735762a8fe2d8ba716ca9f8026704a63cf81b0d93a0d45e55d184624d

Download Submit
memory/2392-121-0x00007FF7965F0000-0x00007FF796CE6000-memory.dmp

Filesize
7.0MB

Download
memory/2484-126-0x00007FF75CBB0000-0x00007FF75D2A6000-memory.dmp

Filesize
7.0MB

Download