Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
07653FD9F64401F9F1696F4782C926F4.exe
Resource
win7-20220812-en
General
-
Target
07653FD9F64401F9F1696F4782C926F4.exe
-
Size
1.2MB
-
MD5
07653fd9f64401f9f1696f4782c926f4
-
SHA1
aed898c8d28306aa28785004252b81144bb73676
-
SHA256
34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
-
SHA512
96178c05a5f78f3c132e9634957194c4d90bde07413ffd086de05ad3b638188132c40f84112949ab31818ffbb578980f99a938990846ec70061d5513732894f0
-
SSDEEP
24576:wUelzt/bfQ8OBromXFprxo3FFkBuK/qI/nJi6CYyHFBgsnfLum9My3o54TRM+:4xUC8FU3XkBuAdfsYybggfL/Gx
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" 07653FD9F64401F9F1696F4782C926F4.exe -
Processes:
07653FD9F64401F9F1696F4782C926F4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 07653FD9F64401F9F1696F4782C926F4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exepid process 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe -
Drops file in Program Files directory 2 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exedescription ioc process File created C:\Program Files (x86)\SCSI Service\scsisvc.exe 07653FD9F64401F9F1696F4782C926F4.exe File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe 07653FD9F64401F9F1696F4782C926F4.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exepid process 800 07653FD9F64401F9F1696F4782C926F4.exe 800 07653FD9F64401F9F1696F4782C926F4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exepid process 800 07653FD9F64401F9F1696F4782C926F4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exedescription pid process Token: SeDebugPrivilege 800 07653FD9F64401F9F1696F4782C926F4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exepid process 800 07653FD9F64401F9F1696F4782C926F4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
07653FD9F64401F9F1696F4782C926F4.exedescription pid process target process PID 800 wrote to memory of 892 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 892 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 892 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 892 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 1688 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 1688 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 1688 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe PID 800 wrote to memory of 1688 800 07653FD9F64401F9F1696F4782C926F4.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07653FD9F64401F9F1696F4782C926F4.exe"C:\Users\Admin\AppData\Local\Temp\07653FD9F64401F9F1696F4782C926F4.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEE17.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF0D6.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEE17.tmpFilesize
1KB
MD5853c1e42596a3c599e8ead6504bf72af
SHA1a78c779701d08604f7fafcba5eb21f3d657b8a2f
SHA25663fe2fcf9cc40b50264dd477f05182d174dd27bb42b70baa125608f9122b955a
SHA512db9f87c3094e4ebb066f51ba177ca08e43feff1437d445d9a22e14b15c94c2a30e0206cf53608b8ee4dbccfe865d985cd67b926672a3342796247a23a7fa8390
-
C:\Users\Admin\AppData\Local\Temp\tmpF0D6.tmpFilesize
1KB
MD54e71faa3a77029484cfaba423d96618f
SHA19c837d050bb43d69dc608af809c292e13bca4718
SHA256c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb
SHA5126d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0
-
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/800-57-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/800-59-0x0000000074470000-0x0000000074A1B000-memory.dmpFilesize
5.7MB
-
memory/800-61-0x0000000074470000-0x0000000074A1B000-memory.dmpFilesize
5.7MB
-
memory/892-55-0x0000000000000000-mapping.dmp
-
memory/1688-58-0x0000000000000000-mapping.dmp