9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8

Analysis

max time kernel
53s
max time network
179s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28/05/2023, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe
Size

7.7MB
MD5

1830b61464f43be68ebdb709aeed7caa
SHA1

3e6509b709cda8f23dffc33aebe82c4068af4cf5
SHA256

9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8
SHA512

3d00a62af8935b2f87584d1f5668ff025fba3fd75f8db2d68983c2ee1366564e3d235d95c96dc5d7517bdee239536bfe4e1ef8e9e6f7a690f5969ed590ea1442
SSDEEP

98304:YFvAMS04TpFiA1cEkGWi1uRUkxBZo1oiDZG:YRf4T3rWiYZxBZoJ

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4 = "C:\\ProgramData\\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4\\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4.exe"	9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1144	1012	9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe	66
PID 1012 wrote to memory of 1144	1012	9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe	66

C:\Users\Admin\AppData\Local\Temp\9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe
"C:\Users\Admin\AppData\Local\Temp\9732f3f786b0655facde820dfef07f046a5068a3ebe6e92d32f8ce3b2e91a9e8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012
- C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4.exe
  C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4.exe
  2⤵
  - Executes dropped EXE
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4.exe

Filesize
757.7MB

MD5
069184fb33512a6df2c13962ea9651ec

SHA1
0e07f44e43b9d211c9adece75fb8942e4530b767

SHA256
4c11e8fbdfe94522f5b75a37fcfa99b554ac024c02552a23e0aab617c07d32c1

SHA512
6e7c3ba584b44818f5c2408abe8cce0109ee1fe45c24477f6001d00bad1f2aed94e41a9509e03de35cbb6830a3357e2e0d9e4cca4e454af6d950f816bafceb00

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4\regid.1991-06.com.microsoftMicrosoft-ver8.2.8.4.exe

Filesize
757.7MB

MD5
069184fb33512a6df2c13962ea9651ec

SHA1
0e07f44e43b9d211c9adece75fb8942e4530b767

SHA256
4c11e8fbdfe94522f5b75a37fcfa99b554ac024c02552a23e0aab617c07d32c1

SHA512
6e7c3ba584b44818f5c2408abe8cce0109ee1fe45c24477f6001d00bad1f2aed94e41a9509e03de35cbb6830a3357e2e0d9e4cca4e454af6d950f816bafceb00

Download Submit
memory/1012-121-0x00007FF774470000-0x00007FF774C1A000-memory.dmp

Filesize
7.7MB

Download
memory/1144-129-0x00007FF748B50000-0x00007FF7492FA000-memory.dmp

Filesize
7.7MB

Download