70671eafafc694b53dae370ae8921063318834729d4fef5b34536a810b3e27a4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73bde96f7468cf3db071e6baa7ff4629.exe
Size

168KB
MD5

73bde96f7468cf3db071e6baa7ff4629
SHA1

df81b5f80db46b4400edb1de9af523b71527a048
SHA256

70671eafafc694b53dae370ae8921063318834729d4fef5b34536a810b3e27a4
SHA512

213f6e911bc65c1a9f92bb796addf701a1f12d98d1153ab58ac728e6b616fb461f54be0eabe1b1735adf8afbee8319d7415db40e1fd6912025477861718c3bdb
SSDEEP

3072:PjidUO+VMUBtNwuiYULu2WZf4/XIaQQNW5assn6tLkQo:bidUO+bvqutULi4/YaQQY5BHK

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3108	rotr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Program Files (x86)\\unue\\rotr.exe"	rotr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Program Files (x86)\\unue\\rotr.exe"	73bde96f7468cf3db071e6baa7ff4629.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\unue\rotr.exe	73bde96f7468cf3db071e6baa7ff4629.exe
File created	C:\Program Files (x86)\unue\rotr.exe	73bde96f7468cf3db071e6baa7ff4629.exe
File opened for modification	C:\Program Files (x86)\unue\rotr.exe	rotr.exe
File created	C:\Program Files (x86)\unue\rotr.exe	rotr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3108	4496	73bde96f7468cf3db071e6baa7ff4629.exe	86
PID 4496 wrote to memory of 3108	4496	73bde96f7468cf3db071e6baa7ff4629.exe	86
PID 4496 wrote to memory of 3108	4496	73bde96f7468cf3db071e6baa7ff4629.exe	86

C:\Users\Admin\AppData\Local\Temp\73bde96f7468cf3db071e6baa7ff4629.exe
"C:\Users\Admin\AppData\Local\Temp\73bde96f7468cf3db071e6baa7ff4629.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\unue\rotr.exe
  "C:\Program Files (x86)\unue\rotr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\unue\rotr.exe

Filesize
168KB

MD5
73bde96f7468cf3db071e6baa7ff4629

SHA1
df81b5f80db46b4400edb1de9af523b71527a048

SHA256
70671eafafc694b53dae370ae8921063318834729d4fef5b34536a810b3e27a4

SHA512
213f6e911bc65c1a9f92bb796addf701a1f12d98d1153ab58ac728e6b616fb461f54be0eabe1b1735adf8afbee8319d7415db40e1fd6912025477861718c3bdb

Download Submit
memory/4496-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads