3465e3dd2029ec4ffef8d4218861281a97a1ba5da1b876dc35e21a870bef68d4

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 03:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c2d315deb28cde8f80dacb12eedc460N.exe
Size

94KB
MD5

5c2d315deb28cde8f80dacb12eedc460
SHA1

a00b663d4cf1168a0fab961eab4a9fd7589426e4
SHA256

3465e3dd2029ec4ffef8d4218861281a97a1ba5da1b876dc35e21a870bef68d4
SHA512

7caf156270e526f7b18fd0b05aaef742375d5ab90ac66618f4c1304cacc31d78e8f44455697e3f77f6ea895c403ed131d782d9806e93f38b9bbe662ee4633056
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7uJ:PfU/WF6QMauSuiWNi9CO+WARJrWNZG

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	5c2d315deb28cde8f80dacb12eedc460N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	5c2d315deb28cde8f80dacb12eedc460N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3016	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	30
PID 2980 wrote to memory of 3016	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	30
PID 2980 wrote to memory of 3016	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	30
PID 2980 wrote to memory of 3016	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	30
PID 2980 wrote to memory of 2744	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	32
PID 2980 wrote to memory of 2744	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	32
PID 2980 wrote to memory of 2744	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	32
PID 2980 wrote to memory of 2744	2980	5c2d315deb28cde8f80dacb12eedc460N.exe	32

C:\Users\Admin\AppData\Local\Temp\5c2d315deb28cde8f80dacb12eedc460N.exe
"C:\Users\Admin\AppData\Local\Temp\5c2d315deb28cde8f80dacb12eedc460N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\5c2d315deb28cde8f80dacb12eedc460N.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\wuauclt.exe

Filesize
94KB

MD5
acc8be74cc2b902e029935ae05e5a37c

SHA1
17c69d5926ae4d8e1352b0528af42755a073926d

SHA256
14dbf4e0135838e31dfb82309dcb6f1b376cb55da8e445f65f3288c6aa630278

SHA512
d5791145405d773461a5533d5861b716341e52f84dbfcbe69c1e15893ebc0bbb541da2251d5b9591ea5578500323a61abd69c7a3f7eff26ebfe2565cbac17a5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads