ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 00:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe
Size

32KB
MD5

f1de674508228944da2a230a2a6a2ad8
SHA1

fe5aa90c868dd6c13af978b3749fa11a5e661fae
SHA256

ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8
SHA512

0572554493c4e7a77a774090e7e01cec48b6d0892555b43f681320ad0648199c48687aa08db19c8070fb29fd81fae3abb275d1c7e135e85596816d0125df8682
SSDEEP

384:Q98xUHQVpsA9y4Ng8zLeiKerR/y2XIUqiDvb4V8UBEEnUNIUMtZmMrg:Twmp5/gop/7IPWjiUM2Mrg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\Users\\Admin\\AppData\\Local\\Appinfo.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2604	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe
1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28
PID 1752 wrote to memory of 2604	1752	ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe	28

C:\Users\Admin\AppData\Local\Temp\ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe
"C:\Users\Admin\AppData\Local\Temp\ed635babb8fd40a10102c7f1f54e70e1664373a8a9a3141de3eac64e29868ca8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Appinfo.exe

Filesize
32KB

MD5
3d9f8a7eb635511a708ce167ee59346b

SHA1
b406179e71bd2a42cf8d8f27d85116fb32eb9236

SHA256
9e64ece83307aa2ca06fe6e23606176060af6b62acc2ceea588627ac39a5af77

SHA512
75f63e202805011e2f090fb73e4f253e9ccceda8084f97205e00dfd3ef6db09da013b050720590464c368f1d40bd34e3051fe77bb1f580abaf20e45fb4b401a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
166B

MD5
c27dea95e6c9c2659dd91a42b18aa849

SHA1
e307104b7fefafe418cd10956e72b04c0ebb3144

SHA256
6118f957cff2c9603922c8987184c38ce50729d148f91eb59dc650cfccc54fba

SHA512
cec670205f8f673515fcfa6a3d12c0dabfb9a88eb751330a09016c82c47a1837afe4c27ddd0f0e74789482dd5a29ae988aee8416ae1405a00aac12293badc021

Download Submit
memory/1752-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1752-3-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1752-2-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1752-1-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1752-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads