d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe
Size

1.3MB
MD5

c2ab7053982e6a9e21357ec0e81407ec
SHA1

ac4037d9799802ae6ce2a31ada405ebbd30ad8e3
SHA256

d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b
SHA512

167b37cb536b894820127d519a1b9814deb634ec569f641d03f75592c6d1bac51a98a01013e89490f6b070909d2340c540169e4b6b229b0def0c8af3fc800ee0
SSDEEP

24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJgrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TIrK5Zln2i6

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4756	schtasks.exe
3816	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4756	3016	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe	87
PID 3016 wrote to memory of 4756	3016	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe	87
PID 3016 wrote to memory of 4756	3016	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe	87
PID 3016 wrote to memory of 3816	3016	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe	90
PID 3016 wrote to memory of 3816	3016	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe	90
PID 3016 wrote to memory of 3816	3016	d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe	90

C:\Users\Admin\AppData\Local\Temp\d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe
"C:\Users\Admin\AppData\Local\Temp\d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4756
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
1.3MB

MD5
c2ab7053982e6a9e21357ec0e81407ec

SHA1
ac4037d9799802ae6ce2a31ada405ebbd30ad8e3

SHA256
d30cd22e610011cb9d8f04c076853630d0a0a43852407e7658d31db70503bc8b

SHA512
167b37cb536b894820127d519a1b9814deb634ec569f641d03f75592c6d1bac51a98a01013e89490f6b070909d2340c540169e4b6b229b0def0c8af3fc800ee0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads