8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe
Size

452KB
MD5

92a3a098b62521f13c386245bb1cc5e5
SHA1

7f7b1daafde5fe90a886314844a4e408e0d2a127
SHA256

8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42
SHA512

56209cc9c17c55c19561d6c885ff93dacb1ac4dffce2b2644d4e0a72f87363d021a879200a3412bcc7492b37165e58737be16f37e47a696e2f3ae9844dd54dc6
SSDEEP

12288:hwBwfw5222222222m522222222205222222222Irfkl/lm:hwhrO4

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1924	taskkill.exe
4048	taskkill.exe
2748	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4660	regedit.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2368	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	83
PID 3164 wrote to memory of 2368	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	83
PID 3164 wrote to memory of 2368	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	83
PID 3164 wrote to memory of 824	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	84
PID 3164 wrote to memory of 824	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	84
PID 3164 wrote to memory of 824	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	84
PID 3164 wrote to memory of 1404	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	87
PID 3164 wrote to memory of 1404	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	87
PID 3164 wrote to memory of 1404	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	87
PID 824 wrote to memory of 1924	824	cmd.exe	89
PID 824 wrote to memory of 1924	824	cmd.exe	89
PID 824 wrote to memory of 1924	824	cmd.exe	89
PID 2368 wrote to memory of 4048	2368	cmd.exe	90
PID 2368 wrote to memory of 4048	2368	cmd.exe	90
PID 2368 wrote to memory of 4048	2368	cmd.exe	90
PID 1404 wrote to memory of 2748	1404	cmd.exe	91
PID 1404 wrote to memory of 2748	1404	cmd.exe	91
PID 1404 wrote to memory of 2748	1404	cmd.exe	91
PID 3164 wrote to memory of 2736	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	99
PID 3164 wrote to memory of 2736	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	99
PID 3164 wrote to memory of 2736	3164	8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe	99
PID 2736 wrote to memory of 4660	2736	cmd.exe	101
PID 2736 wrote to memory of 4660	2736	cmd.exe	101
PID 2736 wrote to memory of 4660	2736	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe
"C:\Users\Admin\AppData\Local\Temp\8fa1a3674e85e86ea0ecbee1580deac02dbfbb28fc459d0c55d5575e780e0c42.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im wallpaper32.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wallpaper32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Steam++.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Steam++.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Steam++.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Steam++.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regedit.exe /s%1 c:\temp\mysql_odbc_3_5.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s%1 c:\temp\mysql_odbc_3_5.reg
    3⤵
    - Runs .reg file with regedit
    PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\temp\mysql_odbc_3_5.reg

Filesize
2KB

MD5
4acfac30e6268564c81be826e5eab3b8

SHA1
e8bfe4c3baf80dd222161f0caa8aeecd86d38036

SHA256
fa71e54c310cdb497cb0c31a6ad6df7b27046b1595bcefd35553a91113d66473

SHA512
d119b0008dadb5f52467bb58468a1ebdf3a8c8348219f634122e1c34c63810da7a5464d8133fd047773a461e74468d61ecef312d308dfdb6be08f727415712fd

Download Submit