9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec

Analysis

max time kernel
131s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe
Size

12KB
MD5

95bc1f7612a26477cb003a7668cd956d
SHA1

6cc0bb819108d5469b4322917b9472b3eb6a70e0
SHA256

9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec
SHA512

c1f873ad176bb8ecd61c27791999c3210f929a36911b6e553a2fff70db50d0b881c31d1cdbf426902fd4552c00d0386bdbd2c61112dc06529b5796536e333cfc
SSDEEP

192:2/jOPyJY55MJh/4ZgLkpg2pq1P707Da2xNfI9fctrb5G555jbcQ26YS295P1oynR:2/2H55Uh/4Ckrq1PQ7lxNUctrbA555jl

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\VaultSvc	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2824	regedit.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2824	1848	9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe	28
PID 1848 wrote to memory of 2824	1848	9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe	28
PID 1848 wrote to memory of 2824	1848	9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe	28
PID 1848 wrote to memory of 2824	1848	9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe	28

C:\Users\Admin\AppData\Local\Temp\9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe
"C:\Users\Admin\AppData\Local\Temp\9ca56280e5b22bc4c0a43fda4ae9b5695fa5e246c6c32bb4ca9dd6ba9af93eec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
122B

MD5
e76772e312a3581d58023cd679031bca

SHA1
9390d3f61698deac3b948d71a66f683439bc56c4

SHA256
829b4c1c2dc23c872fd045689a4267eacf56130cf1e72ca05ad28fcb0ed9e394

SHA512
4c7d712094c354ad4831aefc2c1f2767cfb17da2966189efdb8e095dbe48414535151bea13bd5292318bc06e6298e7e3f283bfe7300c9398a1b395691b54ddce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads