e1c1c0d73bdec2a4e6c01fc9758e594c8ad46ef717a660c3ff579f71d74cdef0

Analysis

max time kernel
17s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65f72c5ec689d16e2e8cf5c22f6aeb83.exe
Size

62KB
MD5

65f72c5ec689d16e2e8cf5c22f6aeb83
SHA1

f26125a824449398b6aba11d400e797cfaad0049
SHA256

e1c1c0d73bdec2a4e6c01fc9758e594c8ad46ef717a660c3ff579f71d74cdef0
SHA512

44b0fd8de1038ffec34c70c6fc8f98856b8262f8c0462dad4a331887c7dd5987b598c9b718a0d3319ddfe4d9fdfd54ddef329256ea5fbc2fa18fc80885fc1710
SSDEEP

1536:ajmQRC8cPQqvhl8VrKLzI0g2Xl5Uq4IjG8Gkm+F37+l:ajVCXQqvemL9X/Sc3W

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WUpdates = "C:\\Windows\\system32\\WUpdates.exe"	65f72c5ec689d16e2e8cf5c22f6aeb83.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WUpdates.exe	65f72c5ec689d16e2e8cf5c22f6aeb83.exe
File opened for modification	C:\Windows\SysWOW64\WUpdates.exe	65f72c5ec689d16e2e8cf5c22f6aeb83.exe

C:\Users\Admin\AppData\Local\Temp\65f72c5ec689d16e2e8cf5c22f6aeb83.exe
"C:\Users\Admin\AppData\Local\Temp\65f72c5ec689d16e2e8cf5c22f6aeb83.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\Personal Firewall\*.dll /F /S /Q
  2⤵
  PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\Personal Firewall\data\*.* /F /S /Q
  2⤵
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\Personal Firewall\help\*.* /F /S /Q
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\VSO\*.dll /F /S /Q
  2⤵
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\VSO\*.ini /F /S /Q
  2⤵
  PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\VSO\Res00\*.dll /F /S /Q
  2⤵
  PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\VSO\Dat\4615\*.* /F /S /Q
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\McAfee.com\*.* /F /S /Q
  2⤵
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Norton AntiVirus\*.dll /F /S /Q
  2⤵
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Common Files\Symantec Shared\*.exe /F /S /Q
  2⤵
  PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Norton AntiVirus\*.ini /F /S /Q
  2⤵
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Norton AntiVirus\*.exe /F /S /Q
  2⤵
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Norton AntiVirus\*.inf /F /S /Q
  2⤵
  PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Zone Labs\ZoneAlarm\*.exe /F /S /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Zone Labs\ZoneAlarm\*.zap /F /S /Q
  2⤵
  PID:3164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Zone Labs\ZoneAlarm\*.dll /F /S /Q
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Zone Labs\ZoneAlarm\repair\*.dll /F /S /Q
  2⤵
  PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Kaspersky Lab\AVP6\*.exe /F /S /Q
  2⤵
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Program Files\Kaspersky Lab\AVP6\*.dll /F /S /Q
  2⤵
  PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2740-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2740-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads