Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-05-2022 03:59
Static task
static1
Behavioral task
behavioral1
Sample
$77_loader.exe
Resource
win7-20220414-en
General
-
Target
$77_loader.exe
-
Size
397KB
-
MD5
aff57ee1a4f3731c2036046910f78fb4
-
SHA1
ef9627c0cadff85a3dfaab6aef0b7c885f03b186
-
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
-
SHA512
5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs
-
Modifies powershell logging option 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
$77_loader.exedescription ioc process File created C:\Windows\SoftwareDistribution\config.xml $77_loader.exe File opened for modification C:\Windows\SoftwareDistribution\config.xml $77_loader.exe -
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 1600 NETSTAT.EXE 1376 NETSTAT.EXE 992 NETSTAT.EXE 1704 NETSTAT.EXE 1584 NETSTAT.EXE 1504 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
$77_loader.exepid process 1620 $77_loader.exe 1620 $77_loader.exe 1620 $77_loader.exe 1620 $77_loader.exe 1620 $77_loader.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
$77_loader.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1620 $77_loader.exe Token: SeRestorePrivilege 1972 msiexec.exe Token: SeTakeOwnershipPrivilege 1972 msiexec.exe Token: SeSecurityPrivilege 1972 msiexec.exe Token: SeDebugPrivilege 1600 NETSTAT.EXE Token: SeDebugPrivilege 1376 NETSTAT.EXE Token: SeDebugPrivilege 992 NETSTAT.EXE Token: SeDebugPrivilege 1704 NETSTAT.EXE Token: SeDebugPrivilege 1584 NETSTAT.EXE Token: SeDebugPrivilege 1504 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
$77_loader.execsc.exedescription pid process target process PID 1620 wrote to memory of 1944 1620 $77_loader.exe csc.exe PID 1620 wrote to memory of 1944 1620 $77_loader.exe csc.exe PID 1620 wrote to memory of 1944 1620 $77_loader.exe csc.exe PID 1944 wrote to memory of 1108 1944 csc.exe cvtres.exe PID 1944 wrote to memory of 1108 1944 csc.exe cvtres.exe PID 1944 wrote to memory of 1108 1944 csc.exe cvtres.exe PID 1620 wrote to memory of 1036 1620 $77_loader.exe chcp.com PID 1620 wrote to memory of 1036 1620 $77_loader.exe chcp.com PID 1620 wrote to memory of 1036 1620 $77_loader.exe chcp.com PID 1620 wrote to memory of 1036 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1036 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1036 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1600 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1600 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1600 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1376 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1376 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1376 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 992 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 992 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 992 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1884 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1884 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1884 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1656 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1656 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1656 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 852 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 852 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 852 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1260 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1260 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1260 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1556 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1556 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1556 1620 $77_loader.exe netsh.exe PID 1620 wrote to memory of 1704 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1704 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1704 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1584 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1584 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1584 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1504 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1504 1620 $77_loader.exe NETSTAT.EXE PID 1620 wrote to memory of 1504 1620 $77_loader.exe NETSTAT.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\34smwh6o.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEBD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDB3.tmp"3⤵PID:1108
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 4372⤵PID:1036
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:1036
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy reset2⤵PID:1884
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:1656
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info2⤵PID:852
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:1260
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:1556
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD561709cb8229f5bcd4ac7507470f680a1
SHA15d293008432b78592208e59cf12469f2db627000
SHA256c025d87b4d5a56c9ec7725945e2e23f44fd5dfd6162d1ef9189a6da85c506a4f
SHA5122c0370d1178c6addc1dda78e9f59526bffa86bccd206298f204ba3117e84ffb722f268a1099f0663a3f741a77b2a5ee8d20214dc5dc4b7ff8282ebe8be639503
-
Filesize
11KB
MD578c7c4e5337c1fdc323447bc5f1262e2
SHA149f8d4d3c12707c1f5b26e8817eca9d9492a7bdb
SHA2567e2505b7c8c27995b72863d48cfb3f08b8bb1c55a498eef437291be61ce36bd0
SHA5123c5d66734299a5eba368a0b63061da6df44c4e47dddacc10adb6128d646165ca071ad6e52efe87491503da3c553ec5a435af4b7481d0f7bcd8363a2cb7e5e847
-
Filesize
1KB
MD568e2a7bb13540039f00b4b6140d17633
SHA19abdc7afea5b211d0009a8de5640294a991838af
SHA2569c2ea48a4efe7bc28d5a6a2ab4f76c9d161bb586062325e9175fbd3abeca27a4
SHA512ada86081d26b4c71764075b41e693b1df8eb2072042b7850fba8b0ab200cfda20c743b03c05fc4408c8806301857f51bc30a3500b61510eb4bb23eb2c75cd1d4
-
Filesize
447B
MD51640a04633fee0dfdc7e22c4f4063bf6
SHA13cb525c47b5dd37f8ee45b034c9452265fba5476
SHA25655e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA51285c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d
-
Filesize
309B
MD5c158006dcd6b20717f85c793f44277f0
SHA1f2be960d92b26f684647e73eb0b4f33779bcf447
SHA2560efc614b936afdc113d95942606f79fdaec46b078f060e0b6a92b3d03f1312bb
SHA5125331b17499a2582add194da9b1f2135731720722712e62bb0dd90867822779ecd74703585f34c9f852952f6d840d8e61f688b7bdcc573a9eeb46c2fea0414b88
-
Filesize
652B
MD50df4356be658bc4b3c5155d9f7893038
SHA1998461d661c8d07517d5ec2e34918f0a03c77575
SHA2564b58ea907e6a4be5afd605ee080c8ef0712805109a49c67f11cfc5d7b4a1e3cc
SHA512d5c33e142166a06c9ae5603ae9b6e20c51d2b78cd260727076acb93da862c840b36cd80854e94178e88305223e44af568cd5b354488714dce8fe0f14c0814067