c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe
Size

7.1MB
MD5

5edb95160a9a3c15bf3419ec6382e9e3
SHA1

3906e8affad47c8377c13c355df0cf732be5a7c5
SHA256

c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec
SHA512

35279852e35d77957e7778b89f130fb564793faabb79147bbd5f35fa53bd1c1569fe6415b629db2da25ae081f8be5f0608faeaddf3d17f45be145d0c46f54d4d
SSDEEP

98304:2aFwfgSa0rogZ+4nw3kfWHh3NSz+ylOaoK3RAKbpMziNCxY:2MwZ9oG+Qw2WHhczthBAcpMGNe

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4152	DocumentsTemplates-0A1G56.6.9.7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\DocumentsTemplates-0A1G56.6.9.7 = "C:\\ProgramData\\DocumentsTemplates-0A1G56.6.9.7\\DocumentsTemplates-0A1G56.6.9.7.exe"	c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4152	3636	c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe	66
PID 3636 wrote to memory of 4152	3636	c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe	66

C:\Users\Admin\AppData\Local\Temp\c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe
"C:\Users\Admin\AppData\Local\Temp\c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636
- C:\ProgramData\DocumentsTemplates-0A1G56.6.9.7\DocumentsTemplates-0A1G56.6.9.7.exe
  C:\ProgramData\DocumentsTemplates-0A1G56.6.9.7\DocumentsTemplates-0A1G56.6.9.7.exe
  2⤵
  - Executes dropped EXE
  PID:4152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DocumentsTemplates-0A1G56.6.9.7\DocumentsTemplates-0A1G56.6.9.7.exe

Filesize
7.1MB

MD5
5edb95160a9a3c15bf3419ec6382e9e3

SHA1
3906e8affad47c8377c13c355df0cf732be5a7c5

SHA256
c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec

SHA512
35279852e35d77957e7778b89f130fb564793faabb79147bbd5f35fa53bd1c1569fe6415b629db2da25ae081f8be5f0608faeaddf3d17f45be145d0c46f54d4d

Download Submit
C:\ProgramData\DocumentsTemplates-0A1G56.6.9.7\DocumentsTemplates-0A1G56.6.9.7.exe

Filesize
7.1MB

MD5
5edb95160a9a3c15bf3419ec6382e9e3

SHA1
3906e8affad47c8377c13c355df0cf732be5a7c5

SHA256
c1f2730c025e48c6900ca721ff01a76e2c617d2d3817e01118ffe3f9eae946ec

SHA512
35279852e35d77957e7778b89f130fb564793faabb79147bbd5f35fa53bd1c1569fe6415b629db2da25ae081f8be5f0608faeaddf3d17f45be145d0c46f54d4d

Download Submit
memory/3636-119-0x00007FF7DD310000-0x00007FF7DDA2B000-memory.dmp

Filesize
7.1MB

Download
memory/4152-124-0x00007FF7A9370000-0x00007FF7A9A8B000-memory.dmp

Filesize
7.1MB

Download