1afb2ed8f468819ae11f4c24d82c73e059fa301415ad6decc25b0b9a7e87a6e1

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57ae89b30d5c863b39239b7205c58a90N.exe
Size

93KB
MD5

57ae89b30d5c863b39239b7205c58a90
SHA1

e9822712c25940f47838285bdce7ffdf77eabf40
SHA256

1afb2ed8f468819ae11f4c24d82c73e059fa301415ad6decc25b0b9a7e87a6e1
SHA512

29406829cffdf30693daec1f51da1bb333786d9806ae4425a0d11b9fb42417f265e70ff4dcb6919f1baca5102bf6540bf26d05290c85ac511dfaff71f3b796bb
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7L:PfU/WF6QMauSuiWNi9CO+WARJrWNZ1

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	57ae89b30d5c863b39239b7205c58a90N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	57ae89b30d5c863b39239b7205c58a90N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2360	3024	57ae89b30d5c863b39239b7205c58a90N.exe	31
PID 3024 wrote to memory of 2360	3024	57ae89b30d5c863b39239b7205c58a90N.exe	31
PID 3024 wrote to memory of 2360	3024	57ae89b30d5c863b39239b7205c58a90N.exe	31
PID 3024 wrote to memory of 2360	3024	57ae89b30d5c863b39239b7205c58a90N.exe	31
PID 3024 wrote to memory of 2672	3024	57ae89b30d5c863b39239b7205c58a90N.exe	32
PID 3024 wrote to memory of 2672	3024	57ae89b30d5c863b39239b7205c58a90N.exe	32
PID 3024 wrote to memory of 2672	3024	57ae89b30d5c863b39239b7205c58a90N.exe	32
PID 3024 wrote to memory of 2672	3024	57ae89b30d5c863b39239b7205c58a90N.exe	32

C:\Users\Admin\AppData\Local\Temp\57ae89b30d5c863b39239b7205c58a90N.exe
"C:\Users\Admin\AppData\Local\Temp\57ae89b30d5c863b39239b7205c58a90N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\57ae89b30d5c863b39239b7205c58a90N.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\wuauclt.exe

Filesize
94KB

MD5
d7264ea85c7384540470c51b1fc383c5

SHA1
d7757825ba1c9352c0e691444e56fc8c16af08cc

SHA256
ca1b4e11122f9b761e61d34ffebd6a455634c7879f0cb6c27c6fdd0c94e7fc97

SHA512
998f713c8d06ebcc74abb84e86b28331b43c7dea8ce782cb0806d07519c09ba63b79c197b4ea0f47e80f6f465003c2fb9f988cb48b1c0e0a436c65719a8a926a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads