0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe
Size

6.7MB
MD5

6df3ac327d57f3f1ea52cc162350d481
SHA1

5bec9ce8cf5f7486f351804c1aea89a1f6b0b518
SHA256

0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1
SHA512

d7df5bc101804114e39f4e47f24bb54e94444b9099b527c950ae03c845336976cf7fc901f8ee2e66a4cb57444b6d1c9b27fea5ebb1a7540eb89b33e1d753a794
SSDEEP

98304:EzU6RfJcbzmthjLx7qkrHi5mthum46ORSmth9:OBcbzmZ9mmim4cmx

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\1.exe"	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe
2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe
2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe
2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe
2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2236	2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe	28
PID 2956 wrote to memory of 2236	2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe	28
PID 2956 wrote to memory of 2236	2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe	28
PID 2956 wrote to memory of 2236	2956	0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe	28

C:\Users\Admin\AppData\Local\Temp\0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe
"C:\Users\Admin\AppData\Local\Temp\0f65d54b0c57dfcf752a7bffcf6bbe7f21e79c5f0498910e7842cc711a50b0e1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Reallusion_Block.bat
  2⤵
  - Drops file in Drivers directory
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Reallusion_Block.bat

Filesize
960B

MD5
1f4687236061ae5530baad0ac9bb68c2

SHA1
54b34e8c0c17b2de2f722cec52f9cd173d2b19ac

SHA256
952ec9616e5b70b570daae1d61f1206f70749dfcbf3cbe87e7ba05846e6b8cab

SHA512
76f3216c3f97711102e278e5bf229905fdcd9450ec62944ecc170dc16fbc0ff9a93dffe0f8eb5cb330a878f9cf52d125cbd2fcedb13dbd86869ea045b8d92620

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reallusion_Block.bat

Filesize
960B

MD5
1f4687236061ae5530baad0ac9bb68c2

SHA1
54b34e8c0c17b2de2f722cec52f9cd173d2b19ac

SHA256
952ec9616e5b70b570daae1d61f1206f70749dfcbf3cbe87e7ba05846e6b8cab

SHA512
76f3216c3f97711102e278e5bf229905fdcd9450ec62944ecc170dc16fbc0ff9a93dffe0f8eb5cb330a878f9cf52d125cbd2fcedb13dbd86869ea045b8d92620

Download Submit