f787ed7f82f7a1740b8ff443196ae7b01e3d84b711d73778279dbe5486d1cbe9

Analysis

max time kernel
43s
max time network
33s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05/04/2024, 08:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

z.exe
Size

4.4MB
MD5

4241fe7036a0a942c378abe2e81e3668
SHA1

b1bf10c957726eafe0049911e779d4684cc18421
SHA256

f787ed7f82f7a1740b8ff443196ae7b01e3d84b711d73778279dbe5486d1cbe9
SHA512

b23105a02a1ec9276eda34f625aa9f665468fde234b28c06dbf42388a668ee8309927e2b1ae4db5af94e516756aad22dfcbdc9a538e03d2252ea61f7f8fb0c2c
SSDEEP

49152:ervOlruSUUlcKI+wZDw9qWTWzXS19bb3ZgcAKahCHcSbfrYUjLQZ:er5KEKqJe1NghCHcorYUjLQZ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avro Keyboard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z.exe"	z.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop	z.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\LowLevelHooksTimeout = "5000"	z.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	z.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe
2924	z.exe

C:\Users\Admin\AppData\Local\Temp\z.exe
"C:\Users\Admin\AppData\Local\Temp\z.exe"
1⤵
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-0-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download
memory/2924-2-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download
memory/2924-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2924-4-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download
memory/2924-5-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads