7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529

Analysis

max time kernel
43s
max time network
61s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-04-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe
Size

1010KB
MD5

9f1ce9c287893dd64fd52636ca6b8633
SHA1

8eabaaddd2ba0a07e9e1df042ab951f7f311ecda
SHA256

7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529
SHA512

e625ee5f29a78796c20c93fdc7c078c8e82053b2dd21bb50975ee616bcab70419128eedcc4447e77c221e49c839da53fcb4117fd1496da33a244ba1c3481c564

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.comsvchost.com

pid process

1960 svchost.com
964 svchost.com
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1484 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exesvchost.com

pid process

1952 cmd.exe
1960 svchost.com

pid	process
1960	svchost.com
964	svchost.com

pid	process
1484	powershell.exe

pid	process
1952	cmd.exe
1960	svchost.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1956 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

472 PING.EXE
1684 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

1484 powershell.exe
1484 powershell.exe
1484 powershell.exe
1484 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1956 tasklist.exe
Token: SeDebugPrivilege 1484 powershell.exe

pid	process
1956	tasklist.exe

pid	process
472	PING.EXE
1684	PING.EXE

pid	process
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	tasklist.exe
Token: SeDebugPrivilege	1484	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.execmd.execmd.exesvchost.com

description	pid	process	target process
PID 632 wrote to memory of 1628	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	cmd.exe
PID 632 wrote to memory of 1628	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	cmd.exe
PID 632 wrote to memory of 1628	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	cmd.exe
PID 632 wrote to memory of 1628	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	cmd.exe
PID 1628 wrote to memory of 1952	1628	cmd.exe	cmd.exe
PID 1628 wrote to memory of 1952	1628	cmd.exe	cmd.exe
PID 1628 wrote to memory of 1952	1628	cmd.exe	cmd.exe
PID 1628 wrote to memory of 1952	1628	cmd.exe	cmd.exe
PID 1952 wrote to memory of 1956	1952	cmd.exe	tasklist.exe
PID 1952 wrote to memory of 1956	1952	cmd.exe	tasklist.exe
PID 1952 wrote to memory of 1956	1952	cmd.exe	tasklist.exe
PID 1952 wrote to memory of 1956	1952	cmd.exe	tasklist.exe
PID 1952 wrote to memory of 900	1952	cmd.exe	find.exe
PID 1952 wrote to memory of 900	1952	cmd.exe	find.exe
PID 1952 wrote to memory of 900	1952	cmd.exe	find.exe
PID 1952 wrote to memory of 900	1952	cmd.exe	find.exe
PID 1952 wrote to memory of 1684	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 1684	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 1684	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 1684	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 2004	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 2004	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 2004	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 2004	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 1960	1952	cmd.exe	svchost.com
PID 1952 wrote to memory of 1960	1952	cmd.exe	svchost.com
PID 1952 wrote to memory of 1960	1952	cmd.exe	svchost.com
PID 1952 wrote to memory of 1960	1952	cmd.exe	svchost.com
PID 1952 wrote to memory of 472	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 472	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 472	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 472	1952	cmd.exe	PING.EXE
PID 1960 wrote to memory of 964	1960	svchost.com	svchost.com
PID 1960 wrote to memory of 964	1960	svchost.com	svchost.com
PID 1960 wrote to memory of 964	1960	svchost.com	svchost.com
PID 1960 wrote to memory of 964	1960	svchost.com	svchost.com
PID 632 wrote to memory of 1484	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	powershell.exe
PID 632 wrote to memory of 1484	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	powershell.exe
PID 632 wrote to memory of 1484	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	powershell.exe
PID 632 wrote to memory of 1484	632	7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe
"C:\Users\Admin\AppData\Local\Temp\7bcd22e964544f14d0b786e95aa887a45316e81892723aebd95d7cca57bf0529.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < qRkbaZfHtQvAiFOHMqduUmyVaelyGrRcbnX.fTltuLzMpnthuhXiRBGBMfydOlwqYw
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq srvpost.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\find.exe
find /I /N "srvpost.exe"
4⤵
PID:900

C:\Windows\SysWOW64\PING.EXE
ping -n 1 dZfIyLIE.dZfIyLIE
4⤵
- Runs ping.exe
PID:1684

C:\Windows\SysWOW64\certutil.exe
certutil -decode jYFmYAyAEkCYMhGkNcEoWUAKvpNCfQhelWGC.ECNidNWLgupiMCdzHFabUeOMDlOXAOPGtdpSQqGuEZirExC S
4⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
svchost.com S
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com S
5⤵
- Executes dropped EXE
PID:964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command $oms=(Get-WmiObject win32_process -Filter "processid=$pid").parentprocessid; $sfl=(Get-WmiObject win32_process -Filter "processid=$oms").executablepath; Stop-Process -ID $oms -Force; Start-Sleep -s 1; Remove-Item -path $sfl
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnCrFKxaFYGaHQPssbKEwIozdU.KdqKHwYYymuFPLQuItaXwJJboxVpVfoNLPJeEgYdJSJSkR
Filesize
128KB

MD5
de195cf29f1ed4b5e7056fc8cfb993d3

SHA1
94f5a2b8faeeddc28d6adc207aa07740446b94af

SHA256
89839dda038a1bc588edcf731788e5fc4ad5378b986ebf7d15beae93628106a6

SHA512
71e3102ff4fcdf2ae387e460e5b3eccdbcfb7d9ff127cad28813776ef3e5bd7b0ce588ff1c0cefa990c9b529d1aae2be1657d25ffbb59ec54bc2ec3d4d98f33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S
Filesize
583KB

MD5
d95450ef9be60a657fde1e63bf76b592

SHA1
8d7c6cd69734ef874355f0c87b664d866c60d14d

SHA256
6ad572f94bd856e82fa81b16fddba31e738d77c6a537894897f137b437ea063d

SHA512
e4854531ed650dfc2e0c6b5e74d600063d2656d13c846181ab1626113dfbbe62cad03fccafc931cf3cab711fcd4162df29253077ac8569bb309e2c99164df5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VzEvUlwPZuxtANiFWXqLtGqLFBRIgdWJUu.eEvkQxffglcYgHtybDKxfaTRzazBJlKlxQtwmMpsPdMApCDw
Filesize
909KB

MD5
589209d4b9c55814b42abacf62bd4b5e

SHA1
b10a6eb66ccef27e76bd09d34e732656b76d352d

SHA256
f9528942aceae1d9d6728f8a89cba5895e0d03e71cb0f9cef4c41613c51bb990

SHA512
6acfffe7898ee69238927d8d62a7d2c005cec1426a17d1d33d24a29a7e12bdb069c0156682049e43520c35ee3d6812c49f94ea48dc38e5a9df670810152f0a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jYFmYAyAEkCYMhGkNcEoWUAKvpNCfQhelWGC.ECNidNWLgupiMCdzHFabUeOMDlOXAOPGtdpSQqGuEZirExC
Filesize
802KB

MD5
65647870cbb41e7bab4b1037a631711c

SHA1
f8a6c7bbf3fa9d4107368cfd6129e130d73f0dc3

SHA256
b68d98a7e8756bb45db002f86f440a618bfc81e0983922b94e9361aeaa23850f

SHA512
1be963ef232836a2ea8560643fe405840979494cee60134de42fc7990ab913c7dca9abda24cd5c63aee583325f87edf446c473d225cf3ded511db2ef09b21503

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qRkbaZfHtQvAiFOHMqduUmyVaelyGrRcbnX.fTltuLzMpnthuhXiRBGBMfydOlwqYw
Filesize
4KB

MD5
8ebe2a6726580ea8f9dd37d942fa8339

SHA1
5380e207b0b2c4c1776251ffd42d2a769513a0fd

SHA256
7dabf675d3e6944e8962f08c02bb1287b06bd398513f3111f5a8b60b5e00a8a6

SHA512
efd73e9873d2d683eec8e7619d6374c6a93b82b4e7b190cddd139d7458316afc83c76b8ec60d75c03cb7f35aa2abab226122272b684d4126860d810e7c50d9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.com
Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
memory/472-67-0x0000000000000000-mapping.dmp

Download
memory/900-58-0x0000000000000000-mapping.dmp

Download
memory/964-72-0x0000000000000000-mapping.dmp

Download
memory/1484-76-0x0000000000000000-mapping.dmp

Download
memory/1484-78-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-54-0x0000000000000000-mapping.dmp

Download
memory/1684-59-0x0000000000000000-mapping.dmp

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/1960-65-0x0000000000000000-mapping.dmp

Download
memory/2004-62-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download
memory/2004-61-0x0000000000000000-mapping.dmp

Download