7c8ff2675b38565cb688ddb657b5cbf1469eb0f0b56625b2e6183e1507723195

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bafc7a9c8f4261fb83d9c5c2e45f20c7.exe
Size

405KB
MD5

bafc7a9c8f4261fb83d9c5c2e45f20c7
SHA1

96e4907948a9934c5c0ee6d48e6965682fd181f3
SHA256

7c8ff2675b38565cb688ddb657b5cbf1469eb0f0b56625b2e6183e1507723195
SHA512

0e2bb905954ac216464ed90272544e6a9989fe6cdf71c338b7793b71320bcf0970bab176672fe8ebbed2965c0864e9537d45d76f60ef8e04d7df8405ba0ed42f
SSDEEP

6144:1BmCr/JPiSFvbfCw5tg8b+IpxpLW/VpCuLkkri6+hZIuJXQ1PiAI4ess:DrRPiSpCSBb+M9cpRLkHhZJFQ1Pi2e

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
924	update.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\WINDOWS\\PeerNet\\svchost.exe"	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update.exe = "C:\\WINDOWS\\PeerNet\\update.exe"	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\WINDOWS\\PeerNet\\svchost.exe"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update.exe = "C:\\WINDOWS\\PeerNet\\update.exe"	update.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\PeerNet\update.exe	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe
File opened for modification	C:\WINDOWS\PeerNet\update.exe	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe
File created	C:\WINDOWS\explo.bat	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3676	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4188	4568	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe	89
PID 4568 wrote to memory of 4188	4568	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe	89
PID 4568 wrote to memory of 4188	4568	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe	89
PID 4188 wrote to memory of 3676	4188	cmd.exe	91
PID 4188 wrote to memory of 3676	4188	cmd.exe	91
PID 4188 wrote to memory of 3676	4188	cmd.exe	91
PID 4568 wrote to memory of 924	4568	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe	94
PID 4568 wrote to memory of 924	4568	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe	94
PID 4568 wrote to memory of 924	4568	bafc7a9c8f4261fb83d9c5c2e45f20c7.exe	94

C:\Users\Admin\AppData\Local\Temp\bafc7a9c8f4261fb83d9c5c2e45f20c7.exe
"C:\Users\Admin\AppData\Local\Temp\bafc7a9c8f4261fb83d9c5c2e45f20c7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\explo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3676
- C:\WINDOWS\PeerNet\update.exe
  C:\WINDOWS\PeerNet\update.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\explo.bat

Filesize
77B

MD5
842a5b9784004744843472d6c3440c60

SHA1
a61b7111c76dec741fb98b1eef6e6c45a02e6091

SHA256
f335661fabddf3ecca56756521b02fc9ae3c28952054eb8001dd6563a1c3b70b

SHA512
89a97e327c595239ba0d4718b09d6bb89a284b030ce32a4d54d8c81a964d13038f1e2107bb19c90a62a90036358cd6ffcd01699b310ebb74905254357fda876b

Download Submit
C:\Windows\PeerNet\update.exe

Filesize
405KB

MD5
bafc7a9c8f4261fb83d9c5c2e45f20c7

SHA1
96e4907948a9934c5c0ee6d48e6965682fd181f3

SHA256
7c8ff2675b38565cb688ddb657b5cbf1469eb0f0b56625b2e6183e1507723195

SHA512
0e2bb905954ac216464ed90272544e6a9989fe6cdf71c338b7793b71320bcf0970bab176672fe8ebbed2965c0864e9537d45d76f60ef8e04d7df8405ba0ed42f

Download Submit
memory/924-8-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/924-20-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4568-0-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4568-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads