59d7b6f6a130425f7d3e3a0a066c0c666e17a46ce959e0d40e06c7b136995259

Analysis

max time kernel
134s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

068eeb69469cdb756738113601192484_JC.exe
Size

201KB
MD5

068eeb69469cdb756738113601192484
SHA1

2f1437bcc06f581799cf0d2e50e53b9d93935e0d
SHA256

59d7b6f6a130425f7d3e3a0a066c0c666e17a46ce959e0d40e06c7b136995259
SHA512

ab333a848d6006845fa8bf2ff32a34fdac46cf935656b91a57ee7ce49ed4bcfc2d2601f9bdb3da2f767e330fce09c40e7051213619af0ec11774f80489c25c9d
SSDEEP

3072:bwY3fIeBfbyt7GVMgq0sKPf24/KASZ1d6axe8R6:kEfbH+gq5K24/zuske8R6

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\5785619465506909	068eeb69469cdb756738113601192484_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\5785619465506909\stubpath = "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\apple.exe"	068eeb69469cdb756738113601192484_JC.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe	068eeb69469cdb756738113601192484_JC.exe
File opened for modification	C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe	068eeb69469cdb756738113601192484_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 3840	1092	068eeb69469cdb756738113601192484_JC.exe	85
PID 1092 wrote to memory of 3840	1092	068eeb69469cdb756738113601192484_JC.exe	85
PID 1092 wrote to memory of 3840	1092	068eeb69469cdb756738113601192484_JC.exe	85
PID 1092 wrote to memory of 1728	1092	068eeb69469cdb756738113601192484_JC.exe	98
PID 1092 wrote to memory of 1728	1092	068eeb69469cdb756738113601192484_JC.exe	98
PID 1092 wrote to memory of 1728	1092	068eeb69469cdb756738113601192484_JC.exe	98

C:\Users\Admin\AppData\Local\Temp\068eeb69469cdb756738113601192484_JC.exe
"C:\Users\Admin\AppData\Local\Temp\068eeb69469cdb756738113601192484_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\5785619465506909" /f
  2⤵
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat
  2⤵
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
133B

MD5
424089cb8c58e73d4011aec89d1db816

SHA1
14d8983406770eb23d131127ec7415a83f781610

SHA256
3a01ac2d6fa7ef6a26ea18b602318179ff4292e6ff57b8a40ad01a93e7c2a10b

SHA512
557254a78401a37415cdfda85c65c1cce42de97777a7ca0223805441bacbe765c5081589fb26b5db93c9d58f146036ef6580fa930867f81595b157a1894551c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads