d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1

Resubmissions

14/02/2025, 03:19

250214-dt85hazpgj 8

15/07/2024, 12:22

14/07/2024, 17:11

14/07/2024, 17:07

14/07/2024, 16:55

01/05/2024, 09:05

24/03/2023, 19:33

Analysis

max time kernel
496s
max time network
506s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Replace.exe
Size

34.8MB
MD5

fd5cd14325c51ecab6a57d1d665f8852
SHA1

ea16aa0f197210437733c63a42a8f1dd6442d753
SHA256

d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1
SHA512

9a2e4c8baa01fbafe6968905daeb8d3b7eb62c09d1d7584e973ad1c23d964093e161a51a7390dfaa598d2657f45ca17bf00b5055aeaf0441f875ddb364741d71
SSDEEP

786432:i9hj60qHOBbQcVM3sct6C2ubdsUeGXV4yQnb+LQgRkrm12PYfrB:i9kH+o5sG2ysbhrmka

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
920	run.exe

Loads dropped DLL 1 IoCs

pid	Process
3652	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc46DC.tmp\",Start verpostfix=bt"	rundll32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Image-Line\FL Studio 20	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240602375	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line	run.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3652	rundll32.exe
3652	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 3652	512	Replace.exe	84
PID 512 wrote to memory of 3652	512	Replace.exe	84
PID 512 wrote to memory of 3652	512	Replace.exe	84
PID 512 wrote to memory of 920	512	Replace.exe	86
PID 512 wrote to memory of 920	512	Replace.exe	86

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc46DC.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\7zS002C2277\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS002C2277\run.exe

Filesize
34.8MB

MD5
d77c3ef3efa7e38ef91137466eee801b

SHA1
0b6ce4b03f43c2a7290f95bfbbe9107298efeaef

SHA256
91c2295f354b0616aa6481708248f6ce35dbe9292901464fc6bf3a22522ccb2f

SHA512
7c0171509814f7e5f24b2a9d53a10ab282586ec56bcdedc2deb2ba1aa2b4d9edade6d6d753ca80fb65d147597bfd4ac9f30e330e88c695e72c913ff3ab224750

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsc46DC.tmp

Filesize
6KB

MD5
41e689a7859429d628c34a82bcbb1187

SHA1
f435c4225fc00b3ce4543b812731a65d3722bdc3

SHA256
252dd587c652e9939432bd8b5574590c4a8db64660bc753f5490a472703f5c3a

SHA512
6a8f76f4d2eeb78df1c48f43c8d31f4510f2ba8da71fbb93d88627eba5f4cc74eb9aa12b7688d7fb62ed938fe2ac15bd2c060d6ad90e5b2c61114f74fcecec85

Download Submit