d3b2368c5f381000a33dca4350f09d08bbf387db1dcbef6ca80e73314e9832bc

Resubmissions

04/10/2024, 05:50

241004-gjrn9axfjj 8

04/10/2024, 05:35

241004-gachzaxbkq 8

04/10/2024, 05:33

241004-f8x2ws1crh 8

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Error Fix (1).exe
Size

16.2MB
MD5

6f27f8fd023cf39fbad2d508dfae0624
SHA1

df5dda7bf577d06c1c7384510b3538048a6e5f2c
SHA256

d3b2368c5f381000a33dca4350f09d08bbf387db1dcbef6ca80e73314e9832bc
SHA512

36e20eae172d4440fb060d9c0fb8b0236c7f5d376ec6c2bcd3003366d3b3a987a8fd641b5637a4c35fd68b5b3455a2e4d3b6da44911cf427d7aa22e18a469ec3
SSDEEP

196608:4HUbjbGRS/lCMnUVahOTeT9L4qfq/Lm/A5F:D3bB/ERIOT9wA

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 900	1216	Error Fix (1).exe	79
PID 1216 wrote to memory of 900	1216	Error Fix (1).exe	79
PID 900 wrote to memory of 4792	900	cmd.exe	80
PID 900 wrote to memory of 4792	900	cmd.exe	80
PID 1216 wrote to memory of 2792	1216	Error Fix (1).exe	81
PID 1216 wrote to memory of 2792	1216	Error Fix (1).exe	81
PID 2792 wrote to memory of 5036	2792	cmd.exe	82
PID 2792 wrote to memory of 5036	2792	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\Error Fix (1).exe
"C:\Users\Admin\AppData\Local\Temp\Error Fix (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0 /f
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "" /f
    3⤵
    PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads