c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77

Analysis

max time kernel
148s
max time network
182s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28/05/2023, 04:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe
Size

7.0MB
MD5

c08d9ebc61d682bcfec0fbb066e01ad5
SHA1

ba25ec95b20e8371799a6ba0d9e51eaa18b65528
SHA256

c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77
SHA512

75fd688061cdddd86093f7a7a07cd800db2efbb869a88238cafba08a410b6596472dfaef6c8a5b6b36417c18be236b40176b4b4daa19c4a0c09a44466a325970
SSDEEP

98304:voZ6cjkIi5rioBE9R7EcKYFTWl/m9Kgi05lps6G01DgkZGez1vlCuW:Ak/LE9RPBFqlO9v5lTDgwauW

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
712	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2 = "C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2.exe"	c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 712	420	c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe	66
PID 420 wrote to memory of 712	420	c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe	66

C:\Users\Admin\AppData\Local\Temp\c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe
"C:\Users\Admin\AppData\Local\Temp\c3afc8e746e4e322d66dca4db0fdf0c8357b14ce7600df40851bf5f88ee04b77.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:420
- C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2.exe
  C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2.exe
  2⤵
  - Executes dropped EXE
  PID:712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2.exe

Filesize
757.0MB

MD5
ed0aa3d04af830de917fc010e3d434a8

SHA1
243d6cf0e54bf544ef16d233f82b3c3c8439c55a

SHA256
0e5baf9ab2c76ca1e3d75d4a684420a553e4df90c3009f8a2aa56bc59064aefa

SHA512
49501756796c889d9ad39dc729d923e0a22952f8d2056f13e0ce97e3032ab44fff67c8c83f01478d9ca6c4483dae32da7ca33fb11186a076cec56515c254bb0f

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Documents-T3M1.4.2.2.exe

Filesize
757.0MB

MD5
ed0aa3d04af830de917fc010e3d434a8

SHA1
243d6cf0e54bf544ef16d233f82b3c3c8439c55a

SHA256
0e5baf9ab2c76ca1e3d75d4a684420a553e4df90c3009f8a2aa56bc59064aefa

SHA512
49501756796c889d9ad39dc729d923e0a22952f8d2056f13e0ce97e3032ab44fff67c8c83f01478d9ca6c4483dae32da7ca33fb11186a076cec56515c254bb0f

Download Submit
memory/420-117-0x00007FF776EF0000-0x00007FF7775ED000-memory.dmp

Filesize
7.0MB

Download
memory/712-122-0x00007FF651A70000-0x00007FF65216D000-memory.dmp

Filesize
7.0MB

Download