b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-en-20211208
submitted
25-01-2022 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1856	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1856	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1856	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1856	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1856	schtasks.exe	27

Executes dropped EXE 1 IoCs

pid	Process
848	winlogon.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Favorites\\csrss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\msvcr110\\winlogon.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsData002a\\csrss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\spoolsv.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\SCardSvr\\smss.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\msvcr110\winlogon.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\msvcr110\winlogon.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\msvcr110\cc11b995f2a76d	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\NlsData002a\csrss.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\NlsData002a\886983d96e3d3e	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\SCardSvr\smss.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\SCardSvr\69ddcba757bf72	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\IME\f3b6ecef712a24	b5320340037751e10748b6463fab8ee0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1528	schtasks.exe
612	schtasks.exe
1640	schtasks.exe
1716	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
740	b5320340037751e10748b6463fab8ee0.exe
1036	powershell.exe
1316	powershell.exe
1412	powershell.exe
1660	powershell.exe
1512	powershell.exe
1868	powershell.exe
848	winlogon.exe
848	winlogon.exe
848	winlogon.exe
848	winlogon.exe
848	winlogon.exe
848	winlogon.exe
848	winlogon.exe
848	winlogon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	848	winlogon.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1512	740	b5320340037751e10748b6463fab8ee0.exe	33
PID 740 wrote to memory of 1512	740	b5320340037751e10748b6463fab8ee0.exe	33
PID 740 wrote to memory of 1512	740	b5320340037751e10748b6463fab8ee0.exe	33
PID 740 wrote to memory of 1316	740	b5320340037751e10748b6463fab8ee0.exe	44
PID 740 wrote to memory of 1316	740	b5320340037751e10748b6463fab8ee0.exe	44
PID 740 wrote to memory of 1316	740	b5320340037751e10748b6463fab8ee0.exe	44
PID 740 wrote to memory of 1660	740	b5320340037751e10748b6463fab8ee0.exe	34
PID 740 wrote to memory of 1660	740	b5320340037751e10748b6463fab8ee0.exe	34
PID 740 wrote to memory of 1660	740	b5320340037751e10748b6463fab8ee0.exe	34
PID 740 wrote to memory of 1412	740	b5320340037751e10748b6463fab8ee0.exe	42
PID 740 wrote to memory of 1412	740	b5320340037751e10748b6463fab8ee0.exe	42
PID 740 wrote to memory of 1412	740	b5320340037751e10748b6463fab8ee0.exe	42
PID 740 wrote to memory of 1868	740	b5320340037751e10748b6463fab8ee0.exe	40
PID 740 wrote to memory of 1868	740	b5320340037751e10748b6463fab8ee0.exe	40
PID 740 wrote to memory of 1868	740	b5320340037751e10748b6463fab8ee0.exe	40
PID 740 wrote to memory of 1036	740	b5320340037751e10748b6463fab8ee0.exe	39
PID 740 wrote to memory of 1036	740	b5320340037751e10748b6463fab8ee0.exe	39
PID 740 wrote to memory of 1036	740	b5320340037751e10748b6463fab8ee0.exe	39
PID 740 wrote to memory of 848	740	b5320340037751e10748b6463fab8ee0.exe	45
PID 740 wrote to memory of 848	740	b5320340037751e10748b6463fab8ee0.exe	45
PID 740 wrote to memory of 848	740	b5320340037751e10748b6463fab8ee0.exe	45

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData002a\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SCardSvr\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msvcr110\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\msvcr110\winlogon.exe
  "C:\Windows\System32\msvcr110\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msvcr110\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsData002a\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\SCardSvr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-58-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/740-61-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/740-62-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/740-63-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/740-55-0x0000000000800000-0x0000000000A2C000-memory.dmp

Filesize
2.2MB

Download
memory/740-56-0x0000000002130000-0x00000000021B2000-memory.dmp

Filesize
520KB

Download
memory/740-57-0x0000000000520000-0x0000000000576000-memory.dmp

Filesize
344KB

Download
memory/740-59-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/740-60-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/848-73-0x0000000000C20000-0x0000000001090000-memory.dmp

Filesize
4.4MB

Download
memory/848-71-0x0000000001090000-0x00000000012BC000-memory.dmp

Filesize
2.2MB

Download
memory/848-89-0x00000000008A0000-0x00000000008B2000-memory.dmp

Filesize
72KB

Download
memory/1036-110-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/1036-90-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1036-100-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1036-84-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1036-77-0x000007FEEB740000-0x000007FEEC29D000-memory.dmp

Filesize
11.4MB

Download
memory/1036-86-0x00000000024B2000-0x00000000024B4000-memory.dmp

Filesize
8KB

Download
memory/1316-80-0x000007FEEB740000-0x000007FEEC29D000-memory.dmp

Filesize
11.4MB

Download
memory/1316-109-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1316-93-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/1316-101-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1316-95-0x0000000002832000-0x0000000002834000-memory.dmp

Filesize
8KB

Download
memory/1316-96-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1412-108-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/1412-97-0x00000000029B2000-0x00000000029B4000-memory.dmp

Filesize
8KB

Download
memory/1412-98-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1412-102-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/1412-88-0x00000000029B0000-0x00000000029B2000-memory.dmp

Filesize
8KB

Download
memory/1412-81-0x000007FEEB740000-0x000007FEEC29D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-99-0x0000000001D00000-0x0000000002030000-memory.dmp

Filesize
3.2MB

Download
memory/1512-106-0x0000000001D00000-0x0000000002030000-memory.dmp

Filesize
3.2MB

Download
memory/1512-82-0x000007FEEB740000-0x000007FEEC29D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-65-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1512-104-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1660-87-0x00000000028D2000-0x00000000028D4000-memory.dmp

Filesize
8KB

Download
memory/1660-103-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/1660-85-0x00000000028D0000-0x00000000028D2000-memory.dmp

Filesize
8KB

Download
memory/1660-79-0x000007FEEB740000-0x000007FEEC29D000-memory.dmp

Filesize
11.4MB

Download
memory/1660-94-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1660-111-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1868-105-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1868-91-0x00000000024B2000-0x00000000024B4000-memory.dmp

Filesize
8KB

Download
memory/1868-83-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1868-78-0x000007FEEB740000-0x000007FEEC29D000-memory.dmp

Filesize
11.4MB

Download
memory/1868-107-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/1868-92-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download