3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
102s
max time network
82s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
Size

188KB
MD5

4f92d8fccd5ade0673aadefea9f04f44
SHA1

927bd3212787d5ded2a21301d1f483203b23de29
SHA256

db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f
SHA512

fe029565179ee63dc1416fe8f739248ad510f7ec4d54f4ea863541f874af86a9ddd768d999b8c29c15dfd7732ce9d0e9b07230d5523b62bc4defe317fa3c8bab
SSDEEP

3072:E2sAaxYA5sKkzigXD0+H4gQU3YZA3vX5/exte:uAzzXF/r

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2976	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
2976	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
2976	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
2976	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28
PID 2168 wrote to memory of 2976	2168	db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe	28

C:\Users\Admin\AppData\Local\Temp\db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
"C:\Users\Admin\AppData\Local\Temp\db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
  "C:\Users\Admin\AppData\Local\Temp\db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8212.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2976-2-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2976-4-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2976-6-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2976-8-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2976-10-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2976-12-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2976-15-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download