aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe
Size

588KB
MD5

b7e327f53bf106d57b3e8984f7ab2283
SHA1

0fb298dafecec182468308bf3fc613c055278f90
SHA256

aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8
SHA512

e51707625cae680d404a6ca153691aba303bd2be0df3feae13f772bafc7510e3d57b61164f8fcd02bf0ca183237368db3741d1de6b47f1ab937253df12dad00d
SSDEEP

12288:5X8BkNgKYUz4EN6BSYNwYQRmvOocHp+IZVrEWluH:F8BkN8C6d

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2576	reg.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 1084 wrote to memory of 2248	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	28
PID 2248 wrote to memory of 2000	2248	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	29
PID 2248 wrote to memory of 2000	2248	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	29
PID 2248 wrote to memory of 2000	2248	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	29
PID 2248 wrote to memory of 2000	2248	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	29
PID 1084 wrote to memory of 3024	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	31
PID 1084 wrote to memory of 3024	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	31
PID 1084 wrote to memory of 3024	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	31
PID 1084 wrote to memory of 3024	1084	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	31
PID 2000 wrote to memory of 2576	2000	cmd.exe	33
PID 2000 wrote to memory of 2576	2000	cmd.exe	33
PID 2000 wrote to memory of 2576	2000	cmd.exe	33
PID 2000 wrote to memory of 2576	2000	cmd.exe	33
PID 2000 wrote to memory of 2580	2000	cmd.exe	34
PID 2000 wrote to memory of 2580	2000	cmd.exe	34
PID 2000 wrote to memory of 2580	2000	cmd.exe	34
PID 2000 wrote to memory of 2580	2000	cmd.exe	34
PID 2000 wrote to memory of 2580	2000	cmd.exe	34
PID 2000 wrote to memory of 2580	2000	cmd.exe	34
PID 2000 wrote to memory of 2580	2000	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe
"C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe
  "C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:2576
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
f2b40e871bb8f86ab5b98cb543907443

SHA1
c9fdacbcb92abb228cfeac8d0092f911d75d4504

SHA256
e2ca7adb0c8cfb6d051012c02e68af58097bc4ec80ca0ee7cb7c64c36786b6e8

SHA512
6704c067e75c40e6814ad7a3df1259b3900e9a075647cf56340501639d64b379ff14edd9a7dc18396bc428d6a975e0d2464e1285a19f78d1ab46dcebee80d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
588KB

MD5
4d1a4d2398d66c289aec077dbbf93450

SHA1
147c276d689b6d85ba6661aa8c1c59dae6e893a7

SHA256
773e5e5768fdb63e15523316b0f05b31a1a215eba248761dc15b55e84c41e2f9

SHA512
1f0b283e0198e29b39a5018fc22c980eeb84cee1fbd0d3fc29fb783614814c1012b09e124787ea2fdbcb72e3c711e42dc66231298d359d625d2151c02ad0433d

Download Submit
memory/2248-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download