Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
10-10-2022 17:31
General
-
Target
6b7bab0d720634759037ff5941f363563e99c1ff1350b2142d8d905c912ce03c.exe
-
Size
734KB
-
MD5
89dbc4f04ae324045cd6d5f0946bb7d2
-
SHA1
1c1f708c2363b62c710cf184f989ae3757ba6784
-
SHA256
6b7bab0d720634759037ff5941f363563e99c1ff1350b2142d8d905c912ce03c
-
SHA512
a810dfa7d218058c03fb0f05654f45226da293828c3028d409d146c597ecdcd9861c56579684bf76085fbc4bb80e84a4e70cc8b3d4ef7e4fd7663f62daa3690c
-
SSDEEP
768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b7bab0d720634759037ff5941f363563e99c1ff1350b2142d8d905c912ce03c.exe"C:\Users\Admin\AppData\Local\Temp\6b7bab0d720634759037ff5941f363563e99c1ff1350b2142d8d905c912ce03c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6067" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3780" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3780" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7582" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7582" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5753" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
965KB
MD5d2cf24d14696ec23b2dda2c9db3e12fc
SHA17c9881c582fdedaa6c74be8085bebbb395d59ce0
SHA256a1b92d08edc584c0607b02b869595ac9b92dabc067a510b535b5c54a6e22ccef
SHA51212120036ca048f3f32077b24066e7735107381b7586a8fad7d1c0b32c384df186be985d121b048c49af1d84f92d7d1d2fd0830b72f633e6b4d1d8cc86161b282
-
Filesize
965KB
MD5d2cf24d14696ec23b2dda2c9db3e12fc
SHA17c9881c582fdedaa6c74be8085bebbb395d59ce0
SHA256a1b92d08edc584c0607b02b869595ac9b92dabc067a510b535b5c54a6e22ccef
SHA51212120036ca048f3f32077b24066e7735107381b7586a8fad7d1c0b32c384df186be985d121b048c49af1d84f92d7d1d2fd0830b72f633e6b4d1d8cc86161b282
-
Filesize
497B
MD513fda2ab01b83a5130842a5bab3892d3
SHA16e18e4b467cde054a63a95d4dfc030f156ecd215
SHA25676973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e
SHA512c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD5cdafc019a657800281a5f1ca39ab4ed6
SHA1666c7b0c379107a2cebc36f0f786ad3f121ab663
SHA256ebbf23eecbad815d170350df6de98f60b015ee0fda49715267fa16b4b347a5c3
SHA512fc7f751e83901d2f99fc4c2e52b1b993855d475181598da74a00e580e625264b0a7f2f1fc3f7461d3ee568c1cd62f828072cfa9d15eb4b651170f0d3259eb4c2
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
672KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
6.2MB
-
Filesize
204KB
-
Filesize
120KB
-
Filesize
660KB
-
Filesize
592KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
1.6MB
-
Filesize
216KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
704KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB