c8823c8de68479667c463629187769850c18e23730ad69f6411c3785e9d88d8a

Analysis

max time kernel
419s
max time network
423s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 13:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

breach.exe
Size

173KB
MD5

351e14a3438b01c0bca89e980a7cab91
SHA1

b6d6897d6a0f86497ab262fbe0aecbba49969385
SHA256

c8823c8de68479667c463629187769850c18e23730ad69f6411c3785e9d88d8a
SHA512

2e7b380361866623c055b43c454106c8869a513efc0e2a49d8a5c533fcbab61819b900cb33847aa7249a69787ad7a76d3d8df99b4bf143a4752a32e205e611b9
SSDEEP

3072:iahKyd2n31W5GWp1icKAArDZz4N9GhbkrNEk+5fJ3qa1wOj9zF:iahOKp0yN90QEyOT

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	breach.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2396	2868	breach.exe	82
PID 2868 wrote to memory of 2396	2868	breach.exe	82
PID 2396 wrote to memory of 400	2396	cmd.exe	84
PID 2396 wrote to memory of 400	2396	cmd.exe	84
PID 2396 wrote to memory of 3916	2396	cmd.exe	94
PID 2396 wrote to memory of 3916	2396	cmd.exe	94
PID 2396 wrote to memory of 728	2396	cmd.exe	95
PID 2396 wrote to memory of 728	2396	cmd.exe	95
PID 2396 wrote to memory of 4532	2396	cmd.exe	96
PID 2396 wrote to memory of 4532	2396	cmd.exe	96
PID 2396 wrote to memory of 4260	2396	cmd.exe	97
PID 2396 wrote to memory of 4260	2396	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\breach.exe
"C:\Users\Admin\AppData\Local\Temp\breach.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "breach.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo 111.111.11 "
    3⤵
    PID:3916
- - C:\Windows\system32\findstr.exe
    findstr /r /i /c:"^$[0-9]\{1,3\}\.$\{3\}[0-9]\{1,3\}$"
    3⤵
    PID:728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo 111.111.11 "
    3⤵
    PID:4532
- - C:\Windows\system32\findstr.exe
    findstr /r /i /c:"^$[0-9]\{1,3\}\.$\{3\}[0-9]\{1,3\}$"
    3⤵
    PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\breach.bat

Filesize
37KB

MD5
486b68f1fcefa5779d8c92a910cf994d

SHA1
a530738357f927e8a6332efc61be9298f7cdd33a

SHA256
598bb3b6b67ffc236360719db14389b062d482013b534aca84582afec2011472

SHA512
6a13b695d17be962b658e9c78ee3e9bfe0101d81f6700e5eebd5d95fda0fa1458ba6b2282b4cc6376aac3bca928e44e1cfabdfc69dd060119848924a57aca212

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads