f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1

Analysis

max time kernel
162s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe
Size

12KB
MD5

a083ef50cb0f661815d39f820c9b0a40
SHA1

5d3306e4270cbd0d035d602d6f5488a96d7b2aac
SHA256

f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1
SHA512

c6622e716d87af025b6f312d49f76ae8e0e3095995dca0009da0f3503565d4ac09920681ba9acfc40e1b9b92d66216ecfd659b7130a2a5b3ccb0b0508b61b6ae
SSDEEP

192:W/WmbzFgZqnO7t262dwwXBbJCfo3+n0svoDW/vo4AbRQhbjpBnMbDAVlDRh:bmbzFgZEiYJ9q1/vUS

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360Soft = "C:\\Windows\\system32\\scvhost.exe"	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2496	sc.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4224	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	83
PID 4440 wrote to memory of 4224	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	83
PID 4440 wrote to memory of 4224	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	83
PID 4224 wrote to memory of 4260	4224	cmd.exe	85
PID 4224 wrote to memory of 4260	4224	cmd.exe	85
PID 4224 wrote to memory of 4260	4224	cmd.exe	85
PID 4440 wrote to memory of 4296	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	86
PID 4440 wrote to memory of 4296	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	86
PID 4440 wrote to memory of 4296	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	86
PID 4296 wrote to memory of 4052	4296	cmd.exe	88
PID 4296 wrote to memory of 4052	4296	cmd.exe	88
PID 4296 wrote to memory of 4052	4296	cmd.exe	88
PID 4440 wrote to memory of 3348	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	89
PID 4440 wrote to memory of 3348	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	89
PID 4440 wrote to memory of 3348	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	89
PID 4440 wrote to memory of 3784	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	91
PID 4440 wrote to memory of 3784	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	91
PID 4440 wrote to memory of 3784	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	91
PID 4440 wrote to memory of 2008	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	93
PID 4440 wrote to memory of 2008	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	93
PID 4440 wrote to memory of 2008	4440	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	93
PID 3784 wrote to memory of 3780	3784	cmd.exe	96
PID 3784 wrote to memory of 3780	3784	cmd.exe	96
PID 3784 wrote to memory of 3780	3784	cmd.exe	96
PID 2008 wrote to memory of 2496	2008	cmd.exe	97
PID 2008 wrote to memory of 2496	2008	cmd.exe	97
PID 2008 wrote to memory of 2496	2008	cmd.exe	97
PID 3348 wrote to memory of 1636	3348	cmd.exe	95
PID 3348 wrote to memory of 1636	3348	cmd.exe	95
PID 3348 wrote to memory of 1636	3348	cmd.exe	95
PID 3780 wrote to memory of 3800	3780	net.exe	98
PID 3780 wrote to memory of 3800	3780	net.exe	98
PID 3780 wrote to memory of 3800	3780	net.exe	98
PID 1636 wrote to memory of 3436	1636	net.exe	99
PID 1636 wrote to memory of 3436	1636	net.exe	99
PID 1636 wrote to memory of 3436	1636	net.exe	99

C:\Users\Admin\AppData\Local\Temp\f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe
"C:\Users\Admin\AppData\Local\Temp\f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:3436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opeE5F0.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit