79d9f65798a52d25116530f90a478dcdf69505d20f06f11a11d3c00052cdd831

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293047e0825c75985cf02bb3051bda2f.exe
Size

281KB
MD5

293047e0825c75985cf02bb3051bda2f
SHA1

0afa9ae685630c3bf09f68b9238f160ebfaf6777
SHA256

79d9f65798a52d25116530f90a478dcdf69505d20f06f11a11d3c00052cdd831
SHA512

3e08a1a8ac723ee770da4ef49c00f95562c106bdeddc329f75edf2094fb598e60c2779fb45f666c47f5155abe7451e130daf23bfce452125738d30c0e7ecaad4
SSDEEP

6144:nEkIajmJ9z8t+EgBWw+cteYm9g8V4R4JTlFxZuqz:nYaj+/3Qdwe7CsDZ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msn_livers = "C:\\Arquivos de programas\\msnmsgr.exe"	293047e0825c75985cf02bb3051bda2f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe
1868	293047e0825c75985cf02bb3051bda2f.exe

C:\Users\Admin\AppData\Local\Temp\293047e0825c75985cf02bb3051bda2f.exe
"C:\Users\Admin\AppData\Local\Temp\293047e0825c75985cf02bb3051bda2f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-0-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-3-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-4-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-5-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-6-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-8-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-10-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-12-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1868-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download