68667151c5ce91b7c874d19603f0024ea57d5e7f1b94346625e0d0ffbc86f688

Analysis

max time kernel
136s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a3aa6c1122cbdce486771ab2ed985cd.exe
Size

81KB
MD5

3a3aa6c1122cbdce486771ab2ed985cd
SHA1

b7ff9992da46dce39df33f5d7e985a6b0cece50d
SHA256

68667151c5ce91b7c874d19603f0024ea57d5e7f1b94346625e0d0ffbc86f688
SHA512

bdb05ef3dccec02bab6addf71d9a8243b478b98730d49bf98c0477e1c7fe198e43e2008ce2aff4620c436d58b93d710f381b37807a0076499f52f3052ca46527
SSDEEP

1536:nx63pgVMXxpvTTxYmRGzlLZ9HlaAVVtjzX46VdlWT:nM3SSpvvqDzlDl7Vm6VdlWT

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}	3a3aa6c1122cbdce486771ab2ed985cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath = "C:\\Windows\\system32\\server.exe s"	3a3aa6c1122cbdce486771ab2ed985cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	3a3aa6c1122cbdce486771ab2ed985cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\startkey = "C:\\Windows\\system32\\server.exe"	3a3aa6c1122cbdce486771ab2ed985cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startkey = "C:\\Windows\\system32\\server.exe"	3a3aa6c1122cbdce486771ab2ed985cd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\plugin1.dat	3a3aa6c1122cbdce486771ab2ed985cd.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	3a3aa6c1122cbdce486771ab2ed985cd.exe
File created	C:\Windows\SysWOW64\server.exe	3a3aa6c1122cbdce486771ab2ed985cd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	3a3aa6c1122cbdce486771ab2ed985cd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3464	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	47
PID 1284 wrote to memory of 3464	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	47
PID 1284 wrote to memory of 3076	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	93
PID 1284 wrote to memory of 3076	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	93
PID 1284 wrote to memory of 3076	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	93
PID 1284 wrote to memory of 3076	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	93
PID 1284 wrote to memory of 3076	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	93
PID 1284 wrote to memory of 3076	1284	3a3aa6c1122cbdce486771ab2ed985cd.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\3a3aa6c1122cbdce486771ab2ed985cd.exe
  "C:\Users\Admin\AppData\Local\Temp\3a3aa6c1122cbdce486771ab2ed985cd.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-0-0x0000000000400000-0x000000000041F0C0-memory.dmp

Filesize
124KB

Download
memory/1284-1-0x0000000000400000-0x000000000041F0C0-memory.dmp

Filesize
124KB

Download
memory/1284-4-0x0000000000400000-0x000000000041F0C0-memory.dmp

Filesize
124KB

Download
memory/1284-7-0x0000000000400000-0x000000000041F0C0-memory.dmp

Filesize
124KB

Download
memory/3464-5-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads