da5bd0c1bf817c7df91d142ba39b304a790f39387c2cdfbdf4e1dbfff1e7c6ac

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe
Size

32KB
MD5

46ecae36babdc327eca9163ae37bc05f
SHA1

150039c738ce7e98d880933551e9fbe6ff36a1a5
SHA256

da5bd0c1bf817c7df91d142ba39b304a790f39387c2cdfbdf4e1dbfff1e7c6ac
SHA512

87750daa01c23b07b7be7e6e590e3b511c866efa09d8c7e8ed0279613762abf0d9519595fb1104d23e08bd38c3dc666f7e8b1013f993288f5f37dd8663a44add
SSDEEP

384:f98xUHQsj4jOy4/q8zLeiuerbAZXSHkesR16dZteB5wwlthf:WwMOBqopiiHkr4rQ6wZf

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 2752	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	2752	WerFault.exe	84

Runs .reg file with regedit 1 IoCs

pid	Process
4252	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe
512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 4252	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	81
PID 512 wrote to memory of 4252	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	81
PID 512 wrote to memory of 4252	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	81
PID 512 wrote to memory of 2752	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	84
PID 512 wrote to memory of 2752	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	84
PID 512 wrote to memory of 2752	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	84
PID 512 wrote to memory of 2752	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	84
PID 512 wrote to memory of 2752	512	easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe	84

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1e97960dd69bff8b0354331026248e395dcc68dd784e3300536dd725ae7b84cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4252
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 12
    3⤵
    - Program crash
    PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2752 -ip 2752
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
166B

MD5
f44153ef26be29552cf320325ad8b72e

SHA1
74ac72ba2ff0f871e59b11c95ad707372662370c

SHA256
767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f

SHA512
1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

Download Submit
C:\Users\Admin\AppData\Local\WinHttp.exe

Filesize
32KB

MD5
91667e6223cc79a835eb972c927e3f6f

SHA1
8a2ba48d1d2e58e8efaaf7eb3dfac252aa68cbea

SHA256
4413c8bffb33b26db6d965ac864a83d522c46622f3da66126f240f912fb30da6

SHA512
2dfaa41a0c9002fa9a5ae108f0c94758c54d4977e2e2c11d0d86848e5a1cbd3c2fc7644557748d57d3c48b9516e80a1d87db902a8b01a9ce74fc108d2624f798

Download Submit
memory/512-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2752-136-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download