71fd3a87be81c234e60aa4fef6e942209c8478d1e75fa73fa48338c1b4414585

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2be5c3b229cf96e60b39bce28cef5c.exe
Size

29KB
MD5

ff2be5c3b229cf96e60b39bce28cef5c
SHA1

84d44eed116f1f8852e3546e7fd291f8ab7f0a58
SHA256

71fd3a87be81c234e60aa4fef6e942209c8478d1e75fa73fa48338c1b4414585
SHA512

3adba1b706bc165e20c4273925a60c568991b31156ad6fb1f59ecf54df31e79df65fd89d1346ef7c5dd801d6e79503ef55aef14468c31890460b7cc061828ffd
SSDEEP

384:7z/0RPIvpLhgi8G9OgeNK/jYuP3J4V2sidokno7iEMuX/xfTFhpUkjBUy8l3D+:XmP41hgejl3ZdrLel8l3D

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ff2be5c3b229cf96e60b39bce28cef5c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader = "C:\\Windows\\xpupdate.exe"	ff2be5c3b229cf96e60b39bce28cef5c.exe

Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\xpupdate.exe cmd.exe
File opened for modification C:\Windows\xpupdate.exe cmd.exe

description	ioc	process
File created	C:\Windows\xpupdate.exe	cmd.exe
File opened for modification	C:\Windows\xpupdate.exe	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ff2be5c3b229cf96e60b39bce28cef5c.exe

description	pid	process	target process
PID 2252 wrote to memory of 4484	2252	ff2be5c3b229cf96e60b39bce28cef5c.exe	cmd.exe
PID 2252 wrote to memory of 4484	2252	ff2be5c3b229cf96e60b39bce28cef5c.exe	cmd.exe
PID 2252 wrote to memory of 4484	2252	ff2be5c3b229cf96e60b39bce28cef5c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ff2be5c3b229cf96e60b39bce28cef5c.exe
"C:\Users\Admin\AppData\Local\Temp\ff2be5c3b229cf96e60b39bce28cef5c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\4.bat
2⤵
- Drops file in Windows directory
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4.bat
Filesize
123B

MD5
2978d964c65595931883910436432ad6

SHA1
78c5aa85e5a6adff75a892475da550f00826ae04

SHA256
0b47e1cd60ade806e9c0652bec6db02e9ce76ac8db4dcd8db779ce030252fc2d

SHA512
256a7c65195db8b2c531e1ff8c059f2fe3021ec120f9a89b158a0a44db8cd5705c13d9f1568c763dd86b06cdd122aece1f3774a206463dd1a74d1e1c4a439821

Download Submit
C:\a
Filesize
29KB

MD5
ff2be5c3b229cf96e60b39bce28cef5c

SHA1
84d44eed116f1f8852e3546e7fd291f8ab7f0a58

SHA256
71fd3a87be81c234e60aa4fef6e942209c8478d1e75fa73fa48338c1b4414585

SHA512
3adba1b706bc165e20c4273925a60c568991b31156ad6fb1f59ecf54df31e79df65fd89d1346ef7c5dd801d6e79503ef55aef14468c31890460b7cc061828ffd

Download Submit
memory/2252-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-3-0x0000000002150000-0x0000000002180000-memory.dmp

Filesize
192KB

Download
memory/2252-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-17-0x0000000002150000-0x0000000002180000-memory.dmp

Filesize
192KB

Download
memory/2252-18-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2252-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download