58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe
Size

467KB
MD5

b657d69238615cd51ae65a4b2f01b05f
SHA1

6969b7e49cfcb5210561ff76bd79261241b52ad5
SHA256

58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787
SHA512

5c478c849458909e9744fc6e5ce5e381295943e38ddd95c78e3fa4a22b6010dc63002de02c6dd78576dd9474e33450ed1bafe5936b120be65b048228ab6a877f
SSDEEP

6144:PQMmnhjxlYA2kBwpmPIr9vuMgNZ/ZFGp3bW6nhsch:DmnZvYJkCpmQkl/ZG

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Serverx.exe	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2688	2224	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe	28
PID 2224 wrote to memory of 2688	2224	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe	28
PID 2224 wrote to memory of 2688	2224	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe	28
PID 2224 wrote to memory of 2688	2224	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe	28
PID 2224 wrote to memory of 1280	2224	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe	11
PID 2224 wrote to memory of 1280	2224	58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe
  "C:\Users\Admin\AppData\Local\Temp\58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe
    "C:\Users\Admin\AppData\Local\Temp\58e4029d92d4d2cb49c44b017f3bf45ff1342338dd5b035c4acaff7fea9aa787.exe"
    3⤵
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-3-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1280-4-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2224-0-0x0000000000D70000-0x0000000000DE9A43-memory.dmp

Filesize
486KB

Download
memory/2224-1-0x00000000002F0000-0x000000000036A000-memory.dmp

Filesize
488KB

Download
memory/2224-5-0x0000000000D70000-0x0000000000DE9A43-memory.dmp

Filesize
486KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads