862679b5c1657dc67c0d0e4810016e23220eca04f3a65c223b6546cded60050c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6046f3becd927815c16b035bc2c7636.exe
Size

113KB
MD5

b6046f3becd927815c16b035bc2c7636
SHA1

5af0243d6575061721143de83d68a844679ce27a
SHA256

862679b5c1657dc67c0d0e4810016e23220eca04f3a65c223b6546cded60050c
SHA512

9c3d1796c00513a7ddd1142b8cfa5736b383185e8cb8c3257464ec1215944f52e8bc64f864e136fbbb1e4bec73d5a1ba16e24125223aa66c09fbff96f7c6028e
SSDEEP

3072:C6LOUpmXnG86kZNz+GHjjcs0NtW2mD54r5ae3eLOUpl:1A3G86uNT5sGz

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updates = "D:\\Updates.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Backup = "D:\\Backup.exe"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1988	reg.exe
2544	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	b6046f3becd927815c16b035bc2c7636.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 776	2216	b6046f3becd927815c16b035bc2c7636.exe	28
PID 2216 wrote to memory of 776	2216	b6046f3becd927815c16b035bc2c7636.exe	28
PID 2216 wrote to memory of 776	2216	b6046f3becd927815c16b035bc2c7636.exe	28
PID 2216 wrote to memory of 776	2216	b6046f3becd927815c16b035bc2c7636.exe	28
PID 2216 wrote to memory of 1240	2216	b6046f3becd927815c16b035bc2c7636.exe	29
PID 2216 wrote to memory of 1240	2216	b6046f3becd927815c16b035bc2c7636.exe	29
PID 2216 wrote to memory of 1240	2216	b6046f3becd927815c16b035bc2c7636.exe	29
PID 2216 wrote to memory of 1240	2216	b6046f3becd927815c16b035bc2c7636.exe	29
PID 776 wrote to memory of 2544	776	cmd.exe	32
PID 776 wrote to memory of 2544	776	cmd.exe	32
PID 776 wrote to memory of 2544	776	cmd.exe	32
PID 776 wrote to memory of 2544	776	cmd.exe	32
PID 1240 wrote to memory of 1988	1240	cmd.exe	33
PID 1240 wrote to memory of 1988	1240	cmd.exe	33
PID 1240 wrote to memory of 1988	1240	cmd.exe	33
PID 1240 wrote to memory of 1988	1240	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\b6046f3becd927815c16b035bc2c7636.exe
"C:\Users\Admin\AppData\Local\Temp\b6046f3becd927815c16b035bc2c7636.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\Low.exe

Filesize
113KB

MD5
b6046f3becd927815c16b035bc2c7636

SHA1
5af0243d6575061721143de83d68a844679ce27a

SHA256
862679b5c1657dc67c0d0e4810016e23220eca04f3a65c223b6546cded60050c

SHA512
9c3d1796c00513a7ddd1142b8cfa5736b383185e8cb8c3257464ec1215944f52e8bc64f864e136fbbb1e4bec73d5a1ba16e24125223aa66c09fbff96f7c6028e

Download Submit
memory/2216-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads