f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438

Analysis

max time kernel
141s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-05-2023 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe
Size

7.0MB
MD5

31da2ac6bb8b829dac5403ed942d1add
SHA1

79c8ebdb0a9eb7f6e2d63e4b4d983b3846cfcf82
SHA256

f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438
SHA512

9ed5be670d77ab48eeb288bde711c0a9a72921c7e7103b2a8ce8644b7ad4448bf43196390e04e0722479f77b8daa726226cf85ac709840cfb0d7a019fc69d093
SSDEEP

196608:wEBfzLRwRKRKBbekvJB732BHbK3jYv9s:wAzO4KBT132B7c6

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3652	regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3 = "C:\\ProgramData\\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3\\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3.exe"	f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3652	3664	f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe	66
PID 3664 wrote to memory of 3652	3664	f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe	66

C:\Users\Admin\AppData\Local\Temp\f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe
"C:\Users\Admin\AppData\Local\Temp\f38de22d67a34b509c5436f217c483a81850e46d15a29a75a4105125536e4438.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664
- C:\ProgramData\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3.exe
  C:\ProgramData\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3.exe
  2⤵
  - Executes dropped EXE
  PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3.exe

Filesize
757.0MB

MD5
bd74b20a0f858d88127eeb6728078b8a

SHA1
dfb6b7bbfdb2591cbce3ce3d6a4b5c8b9ca588b2

SHA256
57294aa078458d3447577389c32584daf455e1d699d0de1e181a2c696b69d35f

SHA512
cd00d9b13f7c311b062fe970b6cf9abae09e3ea33a664d472925ae2bd5974e72f66fcec979ee01ee338586631ab64535fb4e0c0a3b515fe4dd34f3f09846a2d7

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3\regid.1991-06.com.microsoftDocuments-VU3W4.3.8.3.exe

Filesize
757.0MB

MD5
bd74b20a0f858d88127eeb6728078b8a

SHA1
dfb6b7bbfdb2591cbce3ce3d6a4b5c8b9ca588b2

SHA256
57294aa078458d3447577389c32584daf455e1d699d0de1e181a2c696b69d35f

SHA512
cd00d9b13f7c311b062fe970b6cf9abae09e3ea33a664d472925ae2bd5974e72f66fcec979ee01ee338586631ab64535fb4e0c0a3b515fe4dd34f3f09846a2d7

Download Submit
memory/3652-124-0x00007FF680570000-0x00007FF680C6F000-memory.dmp

Filesize
7.0MB

Download
memory/3664-119-0x00007FF608680000-0x00007FF608D7F000-memory.dmp

Filesize
7.0MB

Download