5425736cc1bd35a5caa062cd982da5c282dc534635f067ce4289ff7ebfd8d776

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c244e4b1712fb87cccffabaf9ea72f62.exe
Size

588KB
MD5

c244e4b1712fb87cccffabaf9ea72f62
SHA1

8ae3236eb09c28a0b6898496bb9b1119e53e758e
SHA256

5425736cc1bd35a5caa062cd982da5c282dc534635f067ce4289ff7ebfd8d776
SHA512

ddbc00cf7c35b0b30497d0710e7f4ca89e80a7629bb3cca76cb10dacb0cb51c3f8fc3933970c3697a4f5d9c9352dd51ca4d2e0a413397d20d7cc11501e6bcc90
SSDEEP

12288:OfecEyA2CXsNehjATMhsw2P4vJWxPvSU2kQqY8vZQVq:03CXBhOMhsw2gIt+kQqYMZt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	tmp.exe

Loads dropped DLL 4 IoCs

pid	Process
300	c244e4b1712fb87cccffabaf9ea72f62.exe
2396	tmp.exe
2396	tmp.exe
2396	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Windows\\GoogleUpdate\\update.exe"	tmp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\GoogleUpdate\update.exe	tmp.exe
File opened for modification	C:\Windows\GoogleUpdate\update.exe	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
300	c244e4b1712fb87cccffabaf9ea72f62.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28
PID 300 wrote to memory of 2396	300	c244e4b1712fb87cccffabaf9ea72f62.exe	28

C:\Users\Admin\AppData\Local\Temp\c244e4b1712fb87cccffabaf9ea72f62.exe
"C:\Users\Admin\AppData\Local\Temp\c244e4b1712fb87cccffabaf9ea72f62.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:300
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
548KB

MD5
ab5b9a319f9a4892ea9efc16d4a45156

SHA1
5a755e0d2832fb38b06ee3af82704a313e982da1

SHA256
ea580fea8bbfafa4a0a279e04379b38690bfc16722c55d8a1958022d7a51dcfc

SHA512
05a38d97370b5eaa75ec11c661147dba18410b2ac5911ebd7434255d464727ee485c01ced8ad3eca1b89671df7b2db199cb3e1adb40bdc9d4bd730298a9b3a5e

Download Submit
memory/2396-15-0x0000000077FF0000-0x0000000078080000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads