987e2c00b1236d23b9fdb22a4b209f283897e5d7d741db0d46650f2bc4dd7e2d

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d7e8008e5dcf8b2913c0ebeb545565.exe
Size

28KB
MD5

53d7e8008e5dcf8b2913c0ebeb545565
SHA1

d1128fc8fea68b7b4aabfa61c084a0c7855a68e8
SHA256

987e2c00b1236d23b9fdb22a4b209f283897e5d7d741db0d46650f2bc4dd7e2d
SHA512

bc9f684d3d526906937936854032ea2dc97dbe29f4f0e85622a4f75fa3e875ece16d7401db33b6dca7bc26f9040c01a52691bd7a96866f0f22716d6651346a8a
SSDEEP

768:WJh24sXfriXQJwG6IVupYb6wm53scyYPsdU8X:WJh24wfrvJ5qE257yFX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RealUpdate = "C:\\Program Files (x86)\\Common Files\\update\\svchost.exe"	53d7e8008e5dcf8b2913c0ebeb545565.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_deleteme.bat	53d7e8008e5dcf8b2913c0ebeb545565.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\update\svchost.exe	53d7e8008e5dcf8b2913c0ebeb545565.exe
File opened for modification	C:\Program Files (x86)\Common Files\update\svchost.exe	53d7e8008e5dcf8b2913c0ebeb545565.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 452	3168	53d7e8008e5dcf8b2913c0ebeb545565.exe	17
PID 3168 wrote to memory of 452	3168	53d7e8008e5dcf8b2913c0ebeb545565.exe	17
PID 3168 wrote to memory of 452	3168	53d7e8008e5dcf8b2913c0ebeb545565.exe	17

C:\Users\Admin\AppData\Local\Temp\53d7e8008e5dcf8b2913c0ebeb545565.exe
"C:\Users\Admin\AppData\Local\Temp\53d7e8008e5dcf8b2913c0ebeb545565.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\_deleteme.bat
  2⤵
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3168-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3168-2-0x0000000002230000-0x0000000002330000-memory.dmp

Filesize
1024KB

Download
memory/3168-1-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3168-6-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads