1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622

Analysis

max time kernel
103s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe
Size

259KB
MD5

ee548df58c325361eea9bc017a0169ab
SHA1

0fe0cfad99cac484a3444d768a76384668b88793
SHA256

1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622
SHA512

7887e9b6b64cc0d0d547ecba0795770f351f2d14ac9205d7ca1623eec5b91d66fb4e40277a49a850ee277412769744583298247531d8ab0e2b3bef3651a5555d
SSDEEP

6144:/Ya6GNCyenLM25dCdLuvJqai4wojivh6NtR+Fb15ryCUg4aV:/YoN7t2PMLuvJqf4ZFXR+R1pyfK

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bwgp = "C:\\Users\\Admin\\AppData\\Roaming\\rnwgclhqavf\\ojsoxhdmvr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ef60e7809944b7d3e6b66257eb170c8c38eb"	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 416 set thread context of 644	416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe
644	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 644	416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe	83
PID 416 wrote to memory of 644	416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe	83
PID 416 wrote to memory of 644	416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe	83
PID 416 wrote to memory of 644	416	1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe	83

C:\Users\Admin\AppData\Local\Temp\1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe
"C:\Users\Admin\AppData\Local\Temp\1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:416
- C:\Users\Admin\AppData\Local\Temp\1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe
  "C:\Users\Admin\AppData\Local\Temp\1ef60e7809944b7d3e6b66257eb170c8c38eb18ae8936e044609b22f7b6f4622.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsgB04C.tmp\yppsaeuezg.dll

Filesize
6KB

MD5
dc6b1bc615088434d12be079fff851d8

SHA1
9bc9117ec631ca8236eddedaf6cb66115e8088d0

SHA256
7ffd186d217ecc7a354aae10d9171697f7a213e6b9f17573aa8e11191fa15e04

SHA512
30c669ec842e84c799c4e5b909f274065cea5ea1d56155a7f1614abdf5f68859cf0ef10a0cd95415c457315669ae3c413c102acfb342434aaba450dcbde42ce8

Download Submit
memory/644-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/644-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/644-144-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download