21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

Analysis

max time kernel
142s
max time network
131s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/09/2022, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe
Size

1.7MB
MD5

65ddbe9b2581fb5acdfb40a27478ce59
SHA1

7c00e3d480ab839d1e7b51de4f31f08759ad7201
SHA256

21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578
SHA512

074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115
SSDEEP

49152:eTvt1GjeX+xaFTx+IJPPpU4XOulXn8djKj:eT7zOaaqPpv8d2

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1696	OneDrive.exe
108	OneDrive.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/784-55-0x0000000000F00000-0x000000000154F000-memory.dmp	upx
behavioral1/memory/784-79-0x0000000000F00000-0x000000000154F000-memory.dmp	upx
behavioral1/memory/784-80-0x0000000000F00000-0x000000000154F000-memory.dmp	upx
behavioral1/files/0x0009000000014b75-81.dat	upx
behavioral1/files/0x0009000000014b75-83.dat	upx
behavioral1/files/0x0009000000014b75-82.dat	upx
behavioral1/files/0x0009000000014b75-85.dat	upx
behavioral1/memory/1696-88-0x0000000001330000-0x000000000197F000-memory.dmp	upx
behavioral1/memory/1696-113-0x0000000001330000-0x000000000197F000-memory.dmp	upx
behavioral1/memory/1696-114-0x0000000001330000-0x000000000197F000-memory.dmp	upx
behavioral1/files/0x0009000000014b75-115.dat	upx
behavioral1/files/0x0009000000014b75-117.dat	upx
behavioral1/memory/108-118-0x0000000001330000-0x000000000197F000-memory.dmp	upx
behavioral1/memory/108-142-0x0000000001330000-0x000000000197F000-memory.dmp	upx
behavioral1/memory/108-143-0x0000000001330000-0x000000000197F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
692	taskeng.exe
692	taskeng.exe
692	taskeng.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 1696 set thread context of 1144	1696	OneDrive.exe	33
PID 108 set thread context of 740	108	OneDrive.exe	36

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1428	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1428	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	26
PID 784 wrote to memory of 1428	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	26
PID 784 wrote to memory of 1428	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	26
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 784 wrote to memory of 1268	784	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	28
PID 692 wrote to memory of 1696	692	taskeng.exe	32
PID 692 wrote to memory of 1696	692	taskeng.exe	32
PID 692 wrote to memory of 1696	692	taskeng.exe	32
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 1696 wrote to memory of 1144	1696	OneDrive.exe	33
PID 692 wrote to memory of 108	692	taskeng.exe	35
PID 692 wrote to memory of 108	692	taskeng.exe	35
PID 692 wrote to memory of 108	692	taskeng.exe	35
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36
PID 108 wrote to memory of 740	108	OneDrive.exe	36

C:\Users\Admin\AppData\Local\Temp\21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe
"C:\Users\Admin\AppData\Local\Temp\21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
  2⤵
  - Creates scheduled task(s)
  PID:1428
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
  2⤵
  PID:1268

C:\Windows\system32\taskeng.exe
taskeng.exe {188FACCA-AB7E-43BC-8CD9-9136B1D6C1B7} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
  C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
    3⤵
    PID:1144
- C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
  C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
    3⤵
    PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
memory/108-143-0x0000000001330000-0x000000000197F000-memory.dmp

Filesize
6.3MB

Download
memory/108-142-0x0000000001330000-0x000000000197F000-memory.dmp

Filesize
6.3MB

Download
memory/108-118-0x0000000001330000-0x000000000197F000-memory.dmp

Filesize
6.3MB

Download
memory/692-112-0x00000000026C0000-0x0000000002D0F000-memory.dmp

Filesize
6.3MB

Download
memory/692-86-0x00000000026C0000-0x0000000002D0F000-memory.dmp

Filesize
6.3MB

Download
memory/692-87-0x00000000026C0000-0x0000000002D0F000-memory.dmp

Filesize
6.3MB

Download
memory/784-55-0x0000000000F00000-0x000000000154F000-memory.dmp

Filesize
6.3MB

Download
memory/784-79-0x0000000000F00000-0x000000000154F000-memory.dmp

Filesize
6.3MB

Download
memory/784-80-0x0000000000F00000-0x000000000154F000-memory.dmp

Filesize
6.3MB

Download
memory/1268-67-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-57-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-66-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-78-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-64-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-73-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-56-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-63-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-61-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1268-59-0x00000000FF950000-0x00000000FFAEF000-memory.dmp

Filesize
1.6MB

Download
memory/1696-88-0x0000000001330000-0x000000000197F000-memory.dmp

Filesize
6.3MB

Download
memory/1696-114-0x0000000001330000-0x000000000197F000-memory.dmp

Filesize
6.3MB

Download
memory/1696-113-0x0000000001330000-0x000000000197F000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads