f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe
Size

588KB
MD5

58ee32023c2704973fb828d8b5ed4b66
SHA1

b1cf7ccacc64d301fe6b06f56e4b893365ce98f0
SHA256

f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0
SHA512

e71f2b576ebb43e39346ecede4b75172c6b90ce495c15b84c4094de51407f68b2573f8ff768adef9894dcfa3bc80b57b7356cf750e984da633e1106f6332939b
SSDEEP

12288:5X8BkNgKYUz4EN6BSYNwYQRmvOocHp+IZVrEWlu4:F8BkN8C6+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2712	reg.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2124 wrote to memory of 2912	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	28
PID 2912 wrote to memory of 2788	2912	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	29
PID 2912 wrote to memory of 2788	2912	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	29
PID 2912 wrote to memory of 2788	2912	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	29
PID 2912 wrote to memory of 2788	2912	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	29
PID 2124 wrote to memory of 2848	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	31
PID 2124 wrote to memory of 2848	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	31
PID 2124 wrote to memory of 2848	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	31
PID 2124 wrote to memory of 2848	2124	f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe	31
PID 2788 wrote to memory of 2712	2788	cmd.exe	33
PID 2788 wrote to memory of 2712	2788	cmd.exe	33
PID 2788 wrote to memory of 2712	2788	cmd.exe	33
PID 2788 wrote to memory of 2712	2788	cmd.exe	33
PID 2788 wrote to memory of 2904	2788	cmd.exe	34
PID 2788 wrote to memory of 2904	2788	cmd.exe	34
PID 2788 wrote to memory of 2904	2788	cmd.exe	34
PID 2788 wrote to memory of 2904	2788	cmd.exe	34
PID 2788 wrote to memory of 2904	2788	cmd.exe	34
PID 2788 wrote to memory of 2904	2788	cmd.exe	34
PID 2788 wrote to memory of 2904	2788	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe
"C:\Users\Admin\AppData\Local\Temp\f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe
  "C:\Users\Admin\AppData\Local\Temp\f5b93e04f7699bea754f5be10d11e42a7233603b054d54b788f66c8c28211da0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:2712
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
a679c3f8b88faeddbf312d1f582aa094

SHA1
b4841c741765c1c5fe46fa806a1583a48feb8525

SHA256
486ad3f502c3e3907f2f90894cf2d020f04e6883f4ad5cbab08b7e00d00c141c

SHA512
e2cd1e940f5420581f5bc20b372b9ed6b91e03f5e09dea2c2abbbeb69ff4bb9d833abfcd1b04a67712f9ca8597bad6a13b022069db4ce8c4287cdcffa33f1e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
588KB

MD5
5562adb9eb68b8f4e143eab92146418c

SHA1
6c1f1aa8fe4c9e06f6ff0e5d8802665948d69b23

SHA256
d201f9f6633351b7e4487cc2e5b2f262bee1b5e5637784fe454f4fdd6df3d0e3

SHA512
71bddc034e23f9441aa7af2b8937643a2b7ec0ae1213d100d78169ca5cfe675bfadbdb911734fdaca1256f5a2eb2e3899e96106cc5ce3a3d994e5e4a467b199b

Download Submit
memory/2912-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download