940942319ebb9ab2ca1c58c9b81ae4d8509fdd0145c2466e14c81add036c5387

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a978b6b7592b9a6a277849d9ba30007.exe
Size

19KB
MD5

0a978b6b7592b9a6a277849d9ba30007
SHA1

0e28ef38424d3885156955249d2698e36979d5f8
SHA256

940942319ebb9ab2ca1c58c9b81ae4d8509fdd0145c2466e14c81add036c5387
SHA512

0ed3a404c9d3cb4f872c302a38ce36c54283a3529e8f3f89b7107340bb15801921a1bdf342705a4b82488f580875fceae5713fc6f2450a7102b8e13b338f458f
SSDEEP

384:PfX92k8ZlhcdLQG/6ib1UXuqDTL368X98JAriI4mrQKM+UFJo33BwBtqCV3hww3a:PfXH8Zrcf6ixU1XL3D+AupQUfo33BwB0

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
464	mppds.exe

Executes dropped EXE 1 IoCs

pid	Process
464	mppds.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mppds = "C:\\Windows\\mppds.exe"	mppds.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mppds.dll	mppds.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mppds.exe	0a978b6b7592b9a6a277849d9ba30007.exe
File opened for modification	C:\Windows\mppds.exe	0a978b6b7592b9a6a277849d9ba30007.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
464	mppds.exe
464	mppds.exe
464	mppds.exe
464	mppds.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 464	3912	0a978b6b7592b9a6a277849d9ba30007.exe	88
PID 3912 wrote to memory of 464	3912	0a978b6b7592b9a6a277849d9ba30007.exe	88
PID 3912 wrote to memory of 464	3912	0a978b6b7592b9a6a277849d9ba30007.exe	88
PID 464 wrote to memory of 3416	464	mppds.exe	54
PID 464 wrote to memory of 3416	464	mppds.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\0a978b6b7592b9a6a277849d9ba30007.exe
  "C:\Users\Admin\AppData\Local\Temp\0a978b6b7592b9a6a277849d9ba30007.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\mppds.exe
    C:\Windows\mppds.exe @C:\Users\Admin\AppData\Local\Temp\0a978b6b7592b9a6a277849d9ba30007.exe@3912
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mppds.exe

Filesize
19KB

MD5
0a978b6b7592b9a6a277849d9ba30007

SHA1
0e28ef38424d3885156955249d2698e36979d5f8

SHA256
940942319ebb9ab2ca1c58c9b81ae4d8509fdd0145c2466e14c81add036c5387

SHA512
0ed3a404c9d3cb4f872c302a38ce36c54283a3529e8f3f89b7107340bb15801921a1bdf342705a4b82488f580875fceae5713fc6f2450a7102b8e13b338f458f

Download Submit