90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2023 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe
Size

7.1MB
MD5

5b0eeea1b8a94d126a56c59f7b27935a
SHA1

069162b716f057bd6580a52f7596c0e2fc740b37
SHA256

90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0
SHA512

930e5f0e707525e76b7d5e294a6a5dc647b4db488d4a2f3b645a4e540ae6c4cf94377215f94fc94dbba7028276ed9af1c7bcacbfc017622173bbc90a0842e0af
SSDEEP

98304:nAFzkUitM6A8ZKYifY/XTMPiLc0Vhdu+2JK+rR+rW1QLkABC9+6:nA3maFyXTq0Vhdu+28+rR+6KgA49

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3868	regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8 = "C:\\ProgramData\\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8\\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8.exe"	90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3868	2652	90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe	83
PID 2652 wrote to memory of 3868	2652	90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe	83

C:\Users\Admin\AppData\Local\Temp\90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe
"C:\Users\Admin\AppData\Local\Temp\90d56bc3dc68c9878f40e2797ccf008fc4b3824268e79373a4cba842b621b8c0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2652
- C:\ProgramData\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8.exe
  C:\ProgramData\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8.exe
  2⤵
  - Executes dropped EXE
  PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8.exe

Filesize
757.1MB

MD5
e38170bcc803e5c14bcf0ddaddb60ecb

SHA1
07a0b85745c2d508fd11dd4d97a0e035f5587dc9

SHA256
527134ed252afd2199faf278876ed3bca58e8692203c8c43487db5a88500537e

SHA512
4ee5134b059c5f5e5d7c17ad8fc52063d615fdde482350478ac9f52eb24d6ac9f1f88e5e64f23ce1e6a0417f2026f89cdd22ed6dc06e00235bacfe7c6900d25d

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8\regid.1991-06.com.microsoftTemplates-ILN9E3.4.5.8.exe

Filesize
757.1MB

MD5
e38170bcc803e5c14bcf0ddaddb60ecb

SHA1
07a0b85745c2d508fd11dd4d97a0e035f5587dc9

SHA256
527134ed252afd2199faf278876ed3bca58e8692203c8c43487db5a88500537e

SHA512
4ee5134b059c5f5e5d7c17ad8fc52063d615fdde482350478ac9f52eb24d6ac9f1f88e5e64f23ce1e6a0417f2026f89cdd22ed6dc06e00235bacfe7c6900d25d

Download Submit
memory/2652-133-0x00007FF6D9AF0000-0x00007FF6DA20A000-memory.dmp

Filesize
7.1MB

Download
memory/3868-138-0x00007FF77D530000-0x00007FF77DC4A000-memory.dmp

Filesize
7.1MB

Download