93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe
Size

7.1MB
MD5

3c149f221df121353ca22345d3ef9d3e
SHA1

cd658f613032361512b65c3fb4697e609239acce
SHA256

93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11
SHA512

0da0554f8826e5e09a07fe5b4a6702e51d62c6260f36ae462f925ba31770ff6357171a764681f4502033c5de976d4262808c509a4dfd4a6702fe31b3b7e5f571
SSDEEP

98304:pwhP2Law5h7ED1Ie3cxiBzZj8uQuyTs35U4x/z5fatahNeK6:pwhPpsASeoQjDA65UWb9atahMD

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	USOPrivatessh-JRT7I3.5.9.8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USOPrivatessh-JRT7I3.5.9.8 = "C:\\ProgramData\\USOPrivatessh-JRT7I3.5.9.8\\USOPrivatessh-JRT7I3.5.9.8.exe"	93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 1496	4224	93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe	82
PID 4224 wrote to memory of 1496	4224	93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe	82

C:\Users\Admin\AppData\Local\Temp\93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe
"C:\Users\Admin\AppData\Local\Temp\93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224
- C:\ProgramData\USOPrivatessh-JRT7I3.5.9.8\USOPrivatessh-JRT7I3.5.9.8.exe
  C:\ProgramData\USOPrivatessh-JRT7I3.5.9.8\USOPrivatessh-JRT7I3.5.9.8.exe
  2⤵
  - Executes dropped EXE
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOPrivatessh-JRT7I3.5.9.8\USOPrivatessh-JRT7I3.5.9.8.exe

Filesize
7.1MB

MD5
3c149f221df121353ca22345d3ef9d3e

SHA1
cd658f613032361512b65c3fb4697e609239acce

SHA256
93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11

SHA512
0da0554f8826e5e09a07fe5b4a6702e51d62c6260f36ae462f925ba31770ff6357171a764681f4502033c5de976d4262808c509a4dfd4a6702fe31b3b7e5f571

Download Submit
C:\ProgramData\USOPrivatessh-JRT7I3.5.9.8\USOPrivatessh-JRT7I3.5.9.8.exe

Filesize
7.1MB

MD5
3c149f221df121353ca22345d3ef9d3e

SHA1
cd658f613032361512b65c3fb4697e609239acce

SHA256
93b0d4d0ed704c41d6480da0c19a8650b7e787b4683a45c7e793fa7a42a10a11

SHA512
0da0554f8826e5e09a07fe5b4a6702e51d62c6260f36ae462f925ba31770ff6357171a764681f4502033c5de976d4262808c509a4dfd4a6702fe31b3b7e5f571

Download Submit
memory/1496-138-0x00007FF7EE860000-0x00007FF7EEF7A000-memory.dmp

Filesize
7.1MB

Download
memory/4224-133-0x00007FF68AF60000-0x00007FF68B67A000-memory.dmp

Filesize
7.1MB

Download