7f853598248a57ecf304e54559a24eb7b1a9f073069a47e4183f8509afef098d

Analysis

max time kernel
137s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2023, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gfgdfgdggdgfgdfgd.exe
Size

430KB
MD5

a48fa285a9ee385a050f1f097f18a527
SHA1

22040d95ecc49dc2e7c72d40b55630b15e8501f2
SHA256

7f853598248a57ecf304e54559a24eb7b1a9f073069a47e4183f8509afef098d
SHA512

7386b6f25eff76907d7aa2bee0f7046980bbc6e1a90c9220de203423c856db674c30e85f7f05909bf1e63ce8aa5e8b7101abcb50fc94ba37e1c895aeb5381766
SSDEEP

6144:wvyLRt8hVv5mKnGu7HdiLH2usbbm1/zMscCQe5IWzp+vepIyl/j6MammD:PttuRUKnGu794HhsuRzMq5SyQM+D

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4736	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 4256	1568	gfgdfgdggdgfgdfgd.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4256	AppLaunch.exe
4256	AppLaunch.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 4256	1568	gfgdfgdggdgfgdfgd.exe	86
PID 1568 wrote to memory of 4256	1568	gfgdfgdggdgfgdfgd.exe	86
PID 1568 wrote to memory of 4256	1568	gfgdfgdggdgfgdfgd.exe	86
PID 1568 wrote to memory of 4256	1568	gfgdfgdggdgfgdfgd.exe	86
PID 1568 wrote to memory of 4256	1568	gfgdfgdggdgfgdfgd.exe	86
PID 4256 wrote to memory of 4736	4256	AppLaunch.exe	94
PID 4256 wrote to memory of 4736	4256	AppLaunch.exe	94
PID 4256 wrote to memory of 4736	4256	AppLaunch.exe	94

C:\Users\Admin\AppData\Local\Temp\gfgdfgdggdgfgdfgd.exe
"C:\Users\Admin\AppData\Local\Temp\gfgdfgdggdgfgdfgd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
718.1MB

MD5
ec9f6999d662e4afb1a33b9b3e950e8e

SHA1
2ea5da82b00e47bc02f21c8417570bad78f77a4e

SHA256
489e47e99f585f0ce446eb412e113e88fc90ae57439f021edbc6ba6708a3764d

SHA512
0d899d68db0237ac7855b0883ad6597602a4ed800a907035b114f104ecc33fd730d464684da9ad73b208fc5f43af0975c57c6dc9bd126d2df84aa917a2e976da

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
554.4MB

MD5
91d6258ba9b6f8c218b71c842d697183

SHA1
5e0c3b51a5f9b964590ae0a519ee7ab00c4c7a3b

SHA256
f7bb306575730843933c3691a743645566ec11c8c0420c0e619ac42643567194

SHA512
aefd29a63f15f206839c9bead7227c2d163067ab57d650cb44ae04c2e80407bcd8964dec347b51611c81b96f392b138d964216b55bcdc64e94152cfc0695cc68

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
541.8MB

MD5
ff30fe38f58434236487d76bf3f314af

SHA1
a1e47cf9301801d4fb01bb7f87fd623f7ef0fe0c

SHA256
43e12f6c10673457cf4cbbc29ec5570c8e874f8d2c861692e2a3e123c1b6e429

SHA512
2183c4ce9baeaf340a8043efdd6ad0d13ebf28f070e1c84d9f3742c95d6a9c76d52e7077dc1c5e1b735cfea597c30c5f280a02336a2dcf6ed1c9410b0f74f0bf

Download Submit
memory/1568-134-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/4256-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download