7577262fc95eb1cd41448a817e9bf4cdf4c235ba5db83cb4992eb9b766ffb452

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe
Size

388KB
MD5

8b2aa0f8aa9886903d7550e94a92fffd
SHA1

0468ce60ce5e589e30b44783b266b1bf56f0f37a
SHA256

7577262fc95eb1cd41448a817e9bf4cdf4c235ba5db83cb4992eb9b766ffb452
SHA512

c4a0fc55478e2787596bd23c79b5b403e9e7182cab7220ec06938f46df4556368152933aeef9480ef3a3466b5d8c7fc9a5e58404603e114f4c098794cb48012f
SSDEEP

6144:KriwfRtCYQA2XFiFLL0E2XEiN0K3k9/pXEw8dHJhTdUB5jS+lDAA:e5tCllbXEyUi7dHJVdUB5NdAA

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdater = "C:\\ProgramData\\2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe"	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2128	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2156	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1128	2156	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe	20
PID 2156 wrote to memory of 2804	2156	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe	30
PID 2156 wrote to memory of 2804	2156	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe	30
PID 2156 wrote to memory of 2804	2156	2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe	30
PID 2804 wrote to memory of 2128	2804	cmd.exe	32
PID 2804 wrote to memory of 2128	2804	cmd.exe	32
PID 2804 wrote to memory of 2128	2804	cmd.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\cmd.exe
    "cmd" /c timeout /t 1 && DEL /f 2024-12-21_8b2aa0f8aa9886903d7550e94a92fffd_hiddentear.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-4-0x0000000002F00000-0x0000000002F45000-memory.dmp

Filesize
276KB

Download
memory/1128-3-0x0000000002F00000-0x0000000002F45000-memory.dmp

Filesize
276KB

Download
memory/1128-5-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/2156-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000000AE0000-0x0000000000B46000-memory.dmp

Filesize
408KB

Download