865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe
Size

502KB
MD5

4a294b3b36f9c369f009b21dafc72f51
SHA1

c040e23589af4b71cacca20edad6432d444ed020
SHA256

865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe
SHA512

7de1cadaa2e6c9118295853c578c032ff27fb62de7da9116a90357d7fc20dd4ab06585c9c208a3a9fcc7d0538006c05b7cc1e2bd7c9d7b3439c0a776437449e7
SSDEEP

6144:jvGdSWgpAQ9cM2/cNybU/WxcGDLfe1dmOvJ2pd2rLpp9lGTuaqdp+sG9uk:ydSWgmq1/ybU/W+EUFvJ5rr9l

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Serverx.exe	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3060	2804	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe	28
PID 2804 wrote to memory of 3060	2804	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe	28
PID 2804 wrote to memory of 3060	2804	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe	28
PID 2804 wrote to memory of 3060	2804	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe	28
PID 2804 wrote to memory of 1208	2804	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe	13
PID 2804 wrote to memory of 1208	2804	865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe
  "C:\Users\Admin\AppData\Local\Temp\865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe
    "C:\Users\Admin\AppData\Local\Temp\865f8d349d918bd847605aa4f35b2600bfaf7a5b9d6dba32bbb39c3338233bbe.exe"
    3⤵
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-3-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/1208-4-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2804-0-0x0000000001330000-0x00000000013B6000-memory.dmp

Filesize
536KB

Download
memory/2804-5-0x0000000001330000-0x00000000013B6000-memory.dmp

Filesize
536KB

Download
memory/3060-1-0x0000000001330000-0x00000000013B6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads