5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443.exe
Size

653KB
MD5

865f5d2c00bf96b95319d42d007bea2a
SHA1

b553c2e73d7ab9459e77a00ae5b36b56e13ada22
SHA256

5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443
SHA512

96242a18d788c3b3c17461fcf7a3b0c8fc11af697a93a6c429e0d92bb8cdb46e27490b446921ad4d3b6061d5d41be50eea8d7381ddd42f1a80afd6f907e3c5ab
SSDEEP

12288:g3F4L16JYy/3lTjrN+PU1MQvq8hut0M2niS2SBKXK0NSDw:g3Fa1PcjrNpMYfct0M2nGeWck

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	TypeId

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 3464	3064	TypeId	91

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3464	RegAsm.exe
3464	RegAsm.exe
3464	RegAsm.exe
3464	RegAsm.exe
3464	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443.exe
Token: SeDebugPrivilege	3064	TypeId
Token: SeDebugPrivilege	3464	RegAsm.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3464	3064	TypeId	91
PID 3064 wrote to memory of 3464	3064	TypeId	91
PID 3064 wrote to memory of 3464	3064	TypeId	91
PID 3064 wrote to memory of 3464	3064	TypeId	91
PID 3064 wrote to memory of 3464	3064	TypeId	91
PID 3064 wrote to memory of 3464	3064	TypeId	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443.exe
"C:\Users\Admin\AppData\Local\Temp\5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Roaming\FileSection\TypeId
C:\Users\Admin\AppData\Roaming\FileSection\TypeId
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FileSection\TypeId

Filesize
653KB

MD5
865f5d2c00bf96b95319d42d007bea2a

SHA1
b553c2e73d7ab9459e77a00ae5b36b56e13ada22

SHA256
5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

SHA512
96242a18d788c3b3c17461fcf7a3b0c8fc11af697a93a6c429e0d92bb8cdb46e27490b446921ad4d3b6061d5d41be50eea8d7381ddd42f1a80afd6f907e3c5ab

Download Submit
C:\Users\Admin\AppData\Roaming\FileSection\TypeId

Filesize
653KB

MD5
865f5d2c00bf96b95319d42d007bea2a

SHA1
b553c2e73d7ab9459e77a00ae5b36b56e13ada22

SHA256
5da3df88c52c3ceba281842b431c20d0f35fbcb8739e789fe6fee39bcb0a1443

SHA512
96242a18d788c3b3c17461fcf7a3b0c8fc11af697a93a6c429e0d92bb8cdb46e27490b446921ad4d3b6061d5d41be50eea8d7381ddd42f1a80afd6f907e3c5ab

Download Submit
memory/1812-174-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-164-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-138-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-140-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-142-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-144-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-146-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-148-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-150-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-152-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-154-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-156-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-158-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-182-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-162-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-180-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-166-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-168-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-170-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-172-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-133-0x000002593C3F0000-0x000002593C498000-memory.dmp

Filesize
672KB

Download
memory/1812-176-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-136-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-178-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-160-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-184-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-186-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-188-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-190-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-192-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-194-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-196-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-198-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-1637-0x000002593E2B0000-0x000002593E2C0000-memory.dmp

Filesize
64KB

Download
memory/1812-135-0x000002593E2C0000-0x000002593E3C8000-memory.dmp

Filesize
1.0MB

Download
memory/1812-134-0x000002593E2B0000-0x000002593E2C0000-memory.dmp

Filesize
64KB

Download
memory/3064-3150-0x00000223A2170000-0x00000223A2180000-memory.dmp

Filesize
64KB

Download
memory/3064-5371-0x00000223A2170000-0x00000223A2180000-memory.dmp

Filesize
64KB

Download
memory/3464-5883-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download
memory/3464-8659-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download
memory/3464-8660-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download
memory/3464-8661-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download
memory/3464-8662-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download
memory/3464-8663-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download
memory/3464-8664-0x0000021105670000-0x0000021105680000-memory.dmp

Filesize
64KB

Download