f01a44e363340833fa7c371cb7968cb4a8028de8f36cea480a299f0cf52ecd83

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd8c7d4c028dc9ac98f80f7c3203473d.exe
Size

3.7MB
MD5

cd8c7d4c028dc9ac98f80f7c3203473d
SHA1

d75f21417f513abd784ea8814c3bb106b5c7bda3
SHA256

f01a44e363340833fa7c371cb7968cb4a8028de8f36cea480a299f0cf52ecd83
SHA512

90f466cf0bf52a7c5a81ba0ce2717a817b71bb1c539cabf92e8cc70f0bd94858ad6ec620b2a08456a112036f39bdd0b871e12d04eb52f238404569aed1b10191
SSDEEP

98304:0/yGY2TEvQCRnZ2d1eg1xwnYdFyjaVmNo:0/yGxTIRZ2h1aYdFuq

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4532	_6457.tmpac7d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3o8a4nurdv44 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cd8c7d4c028dc9ac98f80f7c3203473d.exe"	cd8c7d4c028dc9ac98f80f7c3203473d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Protection = "\"C:\\Users\\Admin\\AppData\\Roaming\\Antivirus Protection\\AntivirusProtection2012.exe\" /STARTUP"	cd8c7d4c028dc9ac98f80f7c3203473d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3896	2768	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	cd8c7d4c028dc9ac98f80f7c3203473d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	cd8c7d4c028dc9ac98f80f7c3203473d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4532	2768	cd8c7d4c028dc9ac98f80f7c3203473d.exe	87
PID 2768 wrote to memory of 4532	2768	cd8c7d4c028dc9ac98f80f7c3203473d.exe	87
PID 2768 wrote to memory of 4532	2768	cd8c7d4c028dc9ac98f80f7c3203473d.exe	87

C:\Users\Admin\AppData\Local\Temp\cd8c7d4c028dc9ac98f80f7c3203473d.exe
"C:\Users\Admin\AppData\Local\Temp\cd8c7d4c028dc9ac98f80f7c3203473d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\_6457.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_6457.tmpac7d.exe" -p"10:02 PM" -y -o"C:\Users\Admin\AppData\Roaming\Antivirus Protection"
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 928
  2⤵
  - Program crash
  PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2768 -ip 2768
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_6457.tmpac7d.exe

Filesize
2.4MB

MD5
7e88d135cd83ead908ea8799edf55117

SHA1
7830e5c04db33397b96755d6894d746185237ac5

SHA256
480cd2aa702f4719922cd4e7d2000fb9d6b8d973129b4524cc8fcbefa4393cf1

SHA512
b405c5196709dab97bdf8cfca10c7b08856b83243b230d60da8b5b3006942ac0e7c71b7aec822e81173de8ffd58dd281a94af8fcfa41ca73ec79b22bde6304c3

Download Submit
memory/2768-0-0x00000000031F0000-0x000000000359E000-memory.dmp

Filesize
3.7MB

Download
memory/2768-1-0x0000000000400000-0x0000000000DE6000-memory.dmp

Filesize
9.9MB

Download
memory/2768-2-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/2768-3-0x0000000000400000-0x0000000000DE6000-memory.dmp

Filesize
9.9MB

Download
memory/2768-19-0x0000000000400000-0x0000000000DE6000-memory.dmp

Filesize
9.9MB

Download
memory/2768-20-0x00000000031F0000-0x000000000359E000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads