ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe
Size

7.2MB
MD5

ec67e172c07b1f626d106e677116a7d7
SHA1

a26fdc549812459a4117776c4c944ce3591bffeb
SHA256

ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95
SHA512

4850322341b59bbf16fd62c12afee588c173b7e762fe81f1f42d2b0a481e4db7f1bab8171a5b9a9cc461f0113d5cae9385c52d5e5b62bffafde6b466e5283bf2
SSDEEP

98304:lfMx7F5obE1jyujmP1zIfwH0EZlLX/tNUcjsbz6TA+NWlVN9:dMYAe1P1zIIzlLX/whiM+0F

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1548	USOSharedUSOShared-ZS40.4.7.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USOSharedUSOShared-ZS40.4.7.0 = "C:\\ProgramData\\USOSharedUSOShared-ZS40.4.7.0\\USOSharedUSOShared-ZS40.4.7.0.exe"	ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1548	948	ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe	84
PID 948 wrote to memory of 1548	948	ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe	84

C:\Users\Admin\AppData\Local\Temp\ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe
"C:\Users\Admin\AppData\Local\Temp\ae0a4a5d24db7b1d7c89dca9f5b6425b49938b1e571dc3860c75efe463c1da95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948
- C:\ProgramData\USOSharedUSOShared-ZS40.4.7.0\USOSharedUSOShared-ZS40.4.7.0.exe
  C:\ProgramData\USOSharedUSOShared-ZS40.4.7.0\USOSharedUSOShared-ZS40.4.7.0.exe
  2⤵
  - Executes dropped EXE
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOSharedUSOShared-ZS40.4.7.0\USOSharedUSOShared-ZS40.4.7.0.exe

Filesize
757.2MB

MD5
9d3fd5045f78aa80dda5107174f941b3

SHA1
1fedeb263ded798cfb2ed911fabf6413a83c78b8

SHA256
f390ed161b9c249f00d66434b32f15d1db7f2b90c1df27edf1a901e6d59aadf2

SHA512
915efb5d874fbb29165a7f12842649d06604302b2ff8ec223e0b5641cd37dc66b636eb5b94f4e33d6e31a43c00ebc5917cc7a200df5e0a18eaeddb3856bf5002

Download Submit
C:\ProgramData\USOSharedUSOShared-ZS40.4.7.0\USOSharedUSOShared-ZS40.4.7.0.exe

Filesize
757.2MB

MD5
9d3fd5045f78aa80dda5107174f941b3

SHA1
1fedeb263ded798cfb2ed911fabf6413a83c78b8

SHA256
f390ed161b9c249f00d66434b32f15d1db7f2b90c1df27edf1a901e6d59aadf2

SHA512
915efb5d874fbb29165a7f12842649d06604302b2ff8ec223e0b5641cd37dc66b636eb5b94f4e33d6e31a43c00ebc5917cc7a200df5e0a18eaeddb3856bf5002

Download Submit
memory/948-133-0x00007FF6B1150000-0x00007FF6B1880000-memory.dmp

Filesize
7.2MB

Download
memory/1548-138-0x00007FF70E980000-0x00007FF70F0B0000-memory.dmp

Filesize
7.2MB

Download