958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85

Analysis

max time kernel
118s
max time network
159s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
Size

92KB
MD5

e045e83810f36e30eca3e03696f0c1ce
SHA1

73e68fa6c694db3a72519f25acf32821b6d1cb4c
SHA256

958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85
SHA512

5f2f93123f1b0b6f471ac8f873498c19325000b5d647bba0aafcaa808a7eb60fc5ba483c0fb1ea138d97841dc5bc1bab7cb751884a8712c9832751c51395340e
SSDEEP

768:3EsZFM3OUfWBlC3DOHvkeM9XhKuKuzGYM3S9wK5NSbIB4Sa6Eko2MCXWy3V/nr:3m3DoBuSvkxP8ZSa6THmyJ

Score

8^/10

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe

C:\Users\Admin\AppData\Local\Temp\958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe
"C:\Users\Admin\AppData\Local\Temp\958ee6dd3ca1f8f784cd515f701142f47dbd32bfe58200f6aed099742f826c85.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-0-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download