c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2023 19:53

Target

c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Size

680KB
MD5

4513b1451a2a8957c42bbc09ee5c1046
SHA1

6b7f9fff14ce0cb8f60dbcd8be14100e3bea9081
SHA256

c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f
SHA512

df88a2dbd2a8439a455a8ebcababba542c39eaee337c7281bbcd71aa418d6e718722636c6102cbe9f69071fa7dda9df98a5cf2b3bdd46102a99e5ad0a905128e
SSDEEP

12288:gYFBsdyQrOz4uwSI+KoiwMZPzPFQuh3a7KWh0ZPPD5VoxtFakcekVMWkVKtI2i4:gfyaA75I+1gzPFQAyPhkXDCSBerW7i23

Score

5^/10

Drops file in System32 directory 4 IoCs

Processes:

c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\opfileOneA	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
File created	\??\c:\windows\SysWOW64\opfileOneA	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
File created	\??\c:\windows\SysWOW64\syys7.1.6.3.syw	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536"	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536"	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536"	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\isogg = "alrGady"	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe

pid	process
1964	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe
1964	c313e4ce863e7c944c3985c9bddb71727ef2e7bb0c1a2bc262620041109ca11f.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1964-133-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1964-135-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1964-138-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download