Analysis

  • max time kernel
    301s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2022 06:18

General

  • Target

    Install.exe

  • Size

    2.3MB

  • MD5

    81b999918d94285ca5791aed3c8157fe

  • SHA1

    2578c47353c13cf28468518c79ee5a035beed760

  • SHA256

    5917eaf394a1ef0e1dc0cdb4a00260efbf51d1ea20d48ab68f7325cfe4b3ad04

  • SHA512

    e7b92ccfe60142ea4e2605397104e5f0628c78431ff56a69a4868645b05444ece53679db26a724856f8c4c65d39017c51a467a27714b95f5aceee211ac70734e

  • SSDEEP

    24576:zxUmQ8AhI8IYVw4zv7fYLXX5wktsH7XlUAFFLjlLWJ/Sa3qVBAg/LyMlXk/9pu06:zxxHm7b8LXpw9HXL2/SFNLy7/9prx6

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:468
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService
          2⤵
            PID:852
          • C:\Windows\system32\taskhost.exe
            "taskhost.exe"
            2⤵
              PID:1256
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:800
              • C:\Windows\system32\sppsvc.exe
                C:\Windows\system32\sppsvc.exe
                2⤵
                  PID:960
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1040
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:308
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:328
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                        • Drops file in Windows directory
                        PID:876
                        • C:\Windows\system32\taskeng.exe
                          taskeng.exe {4E7D8E6E-A9EE-4535-BF7A-0B4204D20A66} S-1-5-18:NT AUTHORITY\System:Service:
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1124
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
                            4⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1624
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                            C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
                            4⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1356
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                              dw20.exe -x -s 816
                              5⤵
                                PID:1560
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 96
                                  6⤵
                                  • Program crash
                                  PID:1168
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:804
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                            • Drops file in System32 directory
                            PID:740
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k RPCSS
                            2⤵
                              PID:676
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k DcomLaunch
                              2⤵
                                PID:592
                            • C:\Windows\system32\winlogon.exe
                              winlogon.exe
                              1⤵
                                PID:420
                                • C:\Windows\System32\dllhost.exe
                                  C:\Windows\System32\dllhost.exe /Processid:{ea322986-d797-40bd-917c-414e7cb8022a}
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1456
                                • C:\Windows\SysWOW64\dllhost.exe
                                  C:\Windows\SysWOW64\dllhost.exe /Processid:{449c157e-6dd6-4014-826d-b8d14f6fdc57}
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:672
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 296
                                    3⤵
                                    • Program crash
                                    PID:956
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 212
                                      4⤵
                                      • Program crash
                                      PID:576
                              • C:\Windows\system32\lsm.exe
                                C:\Windows\system32\lsm.exe
                                1⤵
                                  PID:484
                                • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                  wmiadap.exe /F /T /R
                                  1⤵
                                    PID:1928
                                  • C:\Windows\Explorer.EXE
                                    C:\Windows\Explorer.EXE
                                    1⤵
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1384
                                    • C:\Users\Admin\AppData\Local\Temp\Install.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
                                      2⤵
                                      • Drops file in Windows directory
                                      PID:1684
                                  • C:\Windows\system32\Dwm.exe
                                    "C:\Windows\system32\Dwm.exe"
                                    1⤵
                                      PID:1340
                                    • C:\Windows\system32\conhost.exe
                                      \??\C:\Windows\system32\conhost.exe "-940788917-2075310290727857194-564733295-531994609536376070-887118630978848052"
                                      1⤵
                                        PID:1112

                                      Network

                                      MITRE ATT&CK Matrix

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Windows\Tasks\$77svc32.job
                                        Filesize

                                        558B

                                        MD5

                                        56c33e06132e976b8821a1f67d4f3734

                                        SHA1

                                        57bd089a6a628be6a159684beed189cfe829711c

                                        SHA256

                                        946b5c363eaa6cc5007ce0816aebb6cac8534df22c43060328ab21694d7ce929

                                        SHA512

                                        d466f39b9c0c90a433ce888b93f0be07baa82f8ec509607e23a8d542dc8c4e13c4dab8f271e35d44cf6274dc63df96504bcf49202daa0db6eff796ccf1654c43

                                      • memory/308-153-0x00000000036C0000-0x000000000388A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/308-162-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/328-154-0x0000000003700000-0x00000000038CA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/328-155-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/420-84-0x0000000000D00000-0x0000000000E49000-memory.dmp
                                        Filesize

                                        1.3MB

                                      • memory/420-76-0x0000000000D00000-0x0000000000E49000-memory.dmp
                                        Filesize

                                        1.3MB

                                      • memory/420-86-0x0000000002DB0000-0x0000000002F7A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/420-127-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/420-79-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/420-226-0x0000000002DB0000-0x0000000002F7A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/468-229-0x0000000001C30000-0x0000000001DFA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/468-87-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/468-93-0x0000000001C30000-0x0000000001DFA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/468-88-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/476-232-0x0000000001650000-0x000000000181A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/476-144-0x0000000001650000-0x000000000181A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/476-129-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/476-126-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/484-150-0x0000000000FA0000-0x000000000116A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/484-156-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/484-131-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/484-238-0x0000000000FA0000-0x000000000116A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/576-216-0x0000000000000000-mapping.dmp
                                      • memory/592-141-0x0000000001B80000-0x0000000001D4A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/592-100-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/592-98-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/592-230-0x0000000001B80000-0x0000000001D4A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/672-204-0x0000000077CD0000-0x0000000077E50000-memory.dmp
                                        Filesize

                                        1.5MB

                                      • memory/672-91-0x0000000000400000-0x0000000000683000-memory.dmp
                                        Filesize

                                        2.5MB

                                      • memory/672-221-0x0000000077CD0000-0x0000000077E50000-memory.dmp
                                        Filesize

                                        1.5MB

                                      • memory/672-203-0x0000000000400000-0x0000000000683000-memory.dmp
                                        Filesize

                                        2.5MB

                                      • memory/672-135-0x000000000045B0A5-mapping.dmp
                                      • memory/676-102-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/676-104-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/676-143-0x0000000001730000-0x00000000018FA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/676-231-0x0000000001730000-0x00000000018FA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/740-133-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/740-157-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/740-149-0x0000000002990000-0x0000000002B5A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/740-237-0x0000000002990000-0x0000000002B5A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/800-199-0x0000000001520000-0x00000000016EA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/804-158-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/804-132-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/804-236-0x0000000001A10000-0x0000000001BDA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/804-148-0x0000000001A10000-0x0000000001BDA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/852-130-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/852-159-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/852-235-0x0000000002AB0000-0x0000000002C7A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/852-147-0x0000000002AB0000-0x0000000002C7A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/876-145-0x0000000003220000-0x00000000033EA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/876-112-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/876-114-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/876-233-0x0000000003220000-0x00000000033EA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/956-209-0x0000000000000000-mapping.dmp
                                      • memory/960-197-0x0000000001700000-0x00000000018CA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1040-122-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/1040-120-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/1040-146-0x00000000012D0000-0x000000000149A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1040-234-0x00000000012D0000-0x000000000149A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1112-223-0x0000000000E70000-0x000000000103A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1112-208-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/1112-207-0x0000000000E70000-0x000000000103A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1124-202-0x0000000001390000-0x000000000155A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1168-215-0x0000000000000000-mapping.dmp
                                      • memory/1256-152-0x00000000026E0000-0x00000000028AA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1256-161-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/1340-151-0x0000000002560000-0x000000000272A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1340-136-0x000007FEBF8D0000-0x000007FEBF8E0000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/1340-196-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB

                                      • memory/1356-62-0x0000000074730000-0x0000000074CDB000-memory.dmp
                                        Filesize

                                        5.7MB

                                      • memory/1356-217-0x0000000003D00000-0x0000000003DFE000-memory.dmp
                                        Filesize

                                        1016KB

                                      • memory/1356-89-0x0000000077CD0000-0x0000000077E50000-memory.dmp
                                        Filesize

                                        1.5MB

                                      • memory/1356-57-0x0000000000000000-mapping.dmp
                                      • memory/1356-222-0x0000000077CD0000-0x0000000077E50000-memory.dmp
                                        Filesize

                                        1.5MB

                                      • memory/1356-219-0x0000000074730000-0x0000000074CDB000-memory.dmp
                                        Filesize

                                        5.7MB

                                      • memory/1384-160-0x00000000070A0000-0x000000000726A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1456-66-0x0000000140000000-0x000000014033D000-memory.dmp
                                        Filesize

                                        3.2MB

                                      • memory/1456-228-0x0000000077AF0000-0x0000000077C99000-memory.dmp
                                        Filesize

                                        1.7MB

                                      • memory/1456-201-0x0000000001A80000-0x0000000001C4A000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1456-67-0x0000000140075238-mapping.dmp
                                      • memory/1456-69-0x0000000140000000-0x000000014033D000-memory.dmp
                                        Filesize

                                        3.2MB

                                      • memory/1456-83-0x0000000077AF0000-0x0000000077C99000-memory.dmp
                                        Filesize

                                        1.7MB

                                      • memory/1456-80-0x0000000140000000-0x000000014033D000-memory.dmp
                                        Filesize

                                        3.2MB

                                      • memory/1456-75-0x00000000778D0000-0x00000000779EF000-memory.dmp
                                        Filesize

                                        1.1MB

                                      • memory/1456-74-0x0000000077AF0000-0x0000000077C99000-memory.dmp
                                        Filesize

                                        1.7MB

                                      • memory/1560-211-0x0000000000000000-mapping.dmp
                                      • memory/1624-225-0x00000000778D0000-0x00000000779EF000-memory.dmp
                                        Filesize

                                        1.1MB

                                      • memory/1624-64-0x0000000077AF0000-0x0000000077C99000-memory.dmp
                                        Filesize

                                        1.7MB

                                      • memory/1624-61-0x000007FEF3DE0000-0x000007FEF493D000-memory.dmp
                                        Filesize

                                        11.4MB

                                      • memory/1624-65-0x00000000778D0000-0x00000000779EF000-memory.dmp
                                        Filesize

                                        1.1MB

                                      • memory/1624-60-0x000007FEF4940000-0x000007FEF5363000-memory.dmp
                                        Filesize

                                        10.1MB

                                      • memory/1624-63-0x00000000011B4000-0x00000000011B7000-memory.dmp
                                        Filesize

                                        12KB

                                      • memory/1624-58-0x000007FEFC341000-0x000007FEFC343000-memory.dmp
                                        Filesize

                                        8KB

                                      • memory/1624-72-0x0000000077AF0000-0x0000000077C99000-memory.dmp
                                        Filesize

                                        1.7MB

                                      • memory/1624-73-0x00000000778D0000-0x00000000779EF000-memory.dmp
                                        Filesize

                                        1.1MB

                                      • memory/1624-56-0x0000000000000000-mapping.dmp
                                      • memory/1624-71-0x00000000011BB000-0x00000000011DA000-memory.dmp
                                        Filesize

                                        124KB

                                      • memory/1624-70-0x00000000011B4000-0x00000000011B7000-memory.dmp
                                        Filesize

                                        12KB

                                      • memory/1684-54-0x0000000076401000-0x0000000076403000-memory.dmp
                                        Filesize

                                        8KB

                                      • memory/1684-55-0x0000000000BF0000-0x0000000000E99000-memory.dmp
                                        Filesize

                                        2.7MB

                                      • memory/1928-205-0x00000000010F0000-0x00000000012BA000-memory.dmp
                                        Filesize

                                        1.8MB

                                      • memory/1928-206-0x0000000037B30000-0x0000000037B40000-memory.dmp
                                        Filesize

                                        64KB