aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe
Size

588KB
MD5

b7e327f53bf106d57b3e8984f7ab2283
SHA1

0fb298dafecec182468308bf3fc613c055278f90
SHA256

aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8
SHA512

e51707625cae680d404a6ca153691aba303bd2be0df3feae13f772bafc7510e3d57b61164f8fcd02bf0ca183237368db3741d1de6b47f1ab937253df12dad00d
SSDEEP

12288:5X8BkNgKYUz4EN6BSYNwYQRmvOocHp+IZVrEWluH:F8BkN8C6d

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2572	reg.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 4232 wrote to memory of 1944	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	82
PID 1944 wrote to memory of 3308	1944	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	83
PID 1944 wrote to memory of 3308	1944	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	83
PID 1944 wrote to memory of 3308	1944	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	83
PID 4232 wrote to memory of 4448	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	85
PID 4232 wrote to memory of 4448	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	85
PID 4232 wrote to memory of 4448	4232	aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe	85
PID 3308 wrote to memory of 2572	3308	cmd.exe	87
PID 3308 wrote to memory of 2572	3308	cmd.exe	87
PID 3308 wrote to memory of 2572	3308	cmd.exe	87
PID 3308 wrote to memory of 2516	3308	cmd.exe	88
PID 3308 wrote to memory of 2516	3308	cmd.exe	88
PID 3308 wrote to memory of 2516	3308	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe
"C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe
  "C:\Users\Admin\AppData\Local\Temp\aca94ac4e1c4648d212c90e953b29719d72643be3f8b7b0126fd1e175656f7d8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:2572
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
f2b40e871bb8f86ab5b98cb543907443

SHA1
c9fdacbcb92abb228cfeac8d0092f911d75d4504

SHA256
e2ca7adb0c8cfb6d051012c02e68af58097bc4ec80ca0ee7cb7c64c36786b6e8

SHA512
6704c067e75c40e6814ad7a3df1259b3900e9a075647cf56340501639d64b379ff14edd9a7dc18396bc428d6a975e0d2464e1285a19f78d1ab46dcebee80d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
588KB

MD5
5db12a4e958356cfae39fad766c00bfc

SHA1
c4474dcfb8bb570c7a6d21ea4328e52425af1884

SHA256
64994a098a4fa96ce8718b768d7d3d706b7c602214bac5fc8c1209bc4ba88fae

SHA512
a6e676a0a881f8e54dc6b86c3e98981a655f67ae39c8ef7a98241c308a3be04c8d2e1c254d2a96b856052669ba55b52931d389ee197d20e42eb274763d7c2561

Download Submit
memory/1944-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1944-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1944-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1944-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download