02fadcac98b4c452a723134848f81a861bbdc07ee976a1b1778d59a04447845e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9844faff5aa251d9e5565db075da675f.exe
Size

78KB
MD5

9844faff5aa251d9e5565db075da675f
SHA1

395e155d09fae93f9d4d47693b8257ebcb4decd4
SHA256

02fadcac98b4c452a723134848f81a861bbdc07ee976a1b1778d59a04447845e
SHA512

28c0a274f51796a2540eececc674fe75664903398fd96ab1f3096e8377ad887a4f5bd8bc96c6f50d37d3e8a73db74739b641d3b3fd8d4eff52ea39a41e812dbc
SSDEEP

1536:50mqgmGhx5LHpemT9QfUXrblOH7n3RTvEb0L7K5RAcWqB:50mq+35jdwZvEb0LW5RAiB

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9844faff5aa251d9e5565db075da675f.exe\""	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{6739EFCB-69CF-41db-ADD7-79047E1BB2C0} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9844faff5aa251d9e5565db075da675f.exe\""	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2932	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2416	2900	9844faff5aa251d9e5565db075da675f.exe	28
PID 2900 wrote to memory of 2416	2900	9844faff5aa251d9e5565db075da675f.exe	28
PID 2900 wrote to memory of 2416	2900	9844faff5aa251d9e5565db075da675f.exe	28
PID 2900 wrote to memory of 2416	2900	9844faff5aa251d9e5565db075da675f.exe	28
PID 2416 wrote to memory of 2932	2416	cmd.exe	30
PID 2416 wrote to memory of 2932	2416	cmd.exe	30
PID 2416 wrote to memory of 2932	2416	cmd.exe	30
PID 2416 wrote to memory of 2932	2416	cmd.exe	30
PID 2416 wrote to memory of 3008	2416	cmd.exe	31
PID 2416 wrote to memory of 3008	2416	cmd.exe	31
PID 2416 wrote to memory of 3008	2416	cmd.exe	31
PID 2416 wrote to memory of 3008	2416	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\9844faff5aa251d9e5565db075da675f.exe
"C:\Users\Admin\AppData\Local\Temp\9844faff5aa251d9e5565db075da675f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rrxx4.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\regedit.exe
    regedit -s rr4.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:2932
- - C:\Windows\SysWOW64\reg.exe
    REG IMPORT rr4.reg
    3⤵
    - Adds Run key to start application
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rr4.reg

Filesize
236B

MD5
92e9448edc9a37afc3d0307a9115597b

SHA1
a62aa7891c945492b1883df7888f1b8af6f9d70d

SHA256
d7020e2c7199d2a067274a18064ea69afc26bdf202ae12e5a612f6b2e310431b

SHA512
7e5e6d400aa390bc82db1e8eb8615ad49f96658f5a7534e438a4c5e9290f6fbbb3fe51d2c09fde688622e192066fdaa5d2c55f891acd30566ca1225d8d9c848d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrxx4.bat

Filesize
76B

MD5
5b35554e98c6ab3219d38b6cc1c7f026

SHA1
f1ef2acfd9b8ceeaf81294aec95c1b875224fb32

SHA256
34527b0aa43ff591dfb42df6fac4885c9169b0f6a1af0b7d8d4d6fb77116cce8

SHA512
0123c17c7a99aa8156f6072824dca54ed19694429dcc9ddec01b3f24c682f35ee0903f01e6dc1c12ad473b7b1f0f5f41420ec4c00c645e28fa8fdcedc84a018b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads