6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc

Analysis

max time kernel
65s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-05-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe
Size

7.0MB
MD5

8f6d7be33319772e3caaa2991202bf5b
SHA1

b26191b094f4218f97a5eb58abb43948ecbb2a80
SHA256

6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc
SHA512

10fa08693a0c4ed3b12cb56ac4a21f7753e9c948e1fea226e97e05c108de21d34724b99655eda5c73b2fa68d3a361922b122954f3984dfd7be89d3062cdac6f3
SSDEEP

98304:O2WtRGRVl5PGRzCL7pybSYtvVDn2FappOVfdQirlOTqMjt1lIbDiFe1/ga0Hg:TVPU67pyJDnOlQslkZjt1lpm/gaug

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe

pid process

3192 SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe

pid	process
3192	SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8 = "C:\\ProgramData\\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8\\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe"	6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe

description	pid	process	target process
PID 3304 wrote to memory of 3192	3304	6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe	SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe
PID 3304 wrote to memory of 3192	3304	6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe	SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe

C:\Users\Admin\AppData\Local\Temp\6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe
"C:\Users\Admin\AppData\Local\Temp\6f3d111e73dbd09a1ecbd159ef539eb6ded20a78ee2910cca718d3d1c94098bc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304

C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe
C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe
2⤵
- Executes dropped EXE
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe
Filesize
757.0MB

MD5
f8b1022b533164b339c34d92a7db1f42

SHA1
c8ff9cfa0a43657bd5cb7c2e4b900ceba22a88c6

SHA256
64c97913852afc4d3099905eb24eb8609cacfe5aca0f412cd672dec16c795c78

SHA512
6b2c6919d52516122673ef1474a6ce521c17b9647ef99aa3e6ace02b523ecb2e70dd905cdeebd151e2eb3a9a1e45dfdddb75f058c585301c4446f10e3f784b78

Download Submit
C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-JBH7.5.4.8.exe
Filesize
757.0MB

MD5
f8b1022b533164b339c34d92a7db1f42

SHA1
c8ff9cfa0a43657bd5cb7c2e4b900ceba22a88c6

SHA256
64c97913852afc4d3099905eb24eb8609cacfe5aca0f412cd672dec16c795c78

SHA512
6b2c6919d52516122673ef1474a6ce521c17b9647ef99aa3e6ace02b523ecb2e70dd905cdeebd151e2eb3a9a1e45dfdddb75f058c585301c4446f10e3f784b78

Download Submit
memory/3192-126-0x00007FF74B2D0000-0x00007FF74B9CC000-memory.dmp

Filesize
7.0MB

Download
memory/3304-121-0x00007FF755340000-0x00007FF755A3C000-memory.dmp

Filesize
7.0MB

Download