64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe
Size

588KB
MD5

e2826429b1f33744730db4750d30d6fb
SHA1

8ce19720f5a1d6eef936554a5e0aa6654925af2a
SHA256

64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a
SHA512

98d9923e59c9a6547483abdcb5676d3a9e66d317ac1d337affd55c619784c6ab6bd3de4fc06326f9d4c65341631ca9095cf75e0957d13344cfb4f9d935384608
SSDEEP

12288:5X8BkNgKYUz4EN6BSYNwYQRmvOocHp+IZVrEWluQ:F8BkN8C6i

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2256	reg.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2056 wrote to memory of 2076	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	28
PID 2076 wrote to memory of 3012	2076	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	29
PID 2076 wrote to memory of 3012	2076	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	29
PID 2076 wrote to memory of 3012	2076	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	29
PID 2076 wrote to memory of 3012	2076	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	29
PID 2056 wrote to memory of 2840	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	31
PID 2056 wrote to memory of 2840	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	31
PID 2056 wrote to memory of 2840	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	31
PID 2056 wrote to memory of 2840	2056	64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe	31
PID 3012 wrote to memory of 2256	3012	cmd.exe	33
PID 3012 wrote to memory of 2256	3012	cmd.exe	33
PID 3012 wrote to memory of 2256	3012	cmd.exe	33
PID 3012 wrote to memory of 2256	3012	cmd.exe	33
PID 3012 wrote to memory of 2760	3012	cmd.exe	34
PID 3012 wrote to memory of 2760	3012	cmd.exe	34
PID 3012 wrote to memory of 2760	3012	cmd.exe	34
PID 3012 wrote to memory of 2760	3012	cmd.exe	34
PID 3012 wrote to memory of 2760	3012	cmd.exe	34
PID 3012 wrote to memory of 2760	3012	cmd.exe	34
PID 3012 wrote to memory of 2760	3012	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe
"C:\Users\Admin\AppData\Local\Temp\64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe
  "C:\Users\Admin\AppData\Local\Temp\64184396634f508c55e7b89f5d67d086e6472254570835a29ebb38a7b1ebf69a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:2256
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
69ee1409c67365add5add7130bddf582

SHA1
3f18247a181536193e23acefefdc5ac64af87e2d

SHA256
a3238321cc1b9c5ee6814ef8d58f949864ccfddf83232eef0d8a151201873f4e

SHA512
d3bc214083b500da141062b4a724e8d0bcc17ef4bbdba79057353f19b68d98ae5668a332556d15fb8cb651b75502a0c84ef5da4a933aa2c77d7771659ad2dd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
588KB

MD5
f97069b2a2b3a05a681cc3e4113848cd

SHA1
ebac6b58b8c183816fa627cf1ebfae3b1ca051d4

SHA256
9938f3e097755ba5f7d17a0a7fcec1c7733c0b767d23a55ae2c59ea97e19ae7d

SHA512
c179e275ab9082b6d0e388f8cc83da5e36a99c31ce76e0a4006a3988cb3c1df8fd9e642647ce354d20301bfd2f8a7d3e8f57a511747c81e718a1fedd3d4e2037

Download Submit
memory/2076-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download