6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999

Analysis

max time kernel
19s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Size

119KB
MD5

02161b2b713037000b6ca1829d1cb781
SHA1

87802e4ba123736af34fd9bca28eaa6b4717710f
SHA256

6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999
SHA512

f12ee70db3cc943fa6089b5a95dd64a185381ba0aa88c957c8b5578b610d208488c0ac5c64fc0eb71f47c87b9be310d7c17254100e42be1365237bd0980989c1
SSDEEP

3072:ZjUrEDD3+0aSrBd5Rov8/Z5EPO+sQJxACQMftC:ZQwHO0hTEvyZ5/kVC

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Serverx.exe	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
File opened for modification	C:\WINDOWS\SysWOW64\SERVERX.EXE	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OEWABLog.txt	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeTakeOwnershipPrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeRestorePrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeBackupPrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeChangeNotifyPrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeTakeOwnershipPrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeRestorePrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeBackupPrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
Token: SeChangeNotifyPrivilege	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1952 wrote to memory of 1916	1952	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	28
PID 1916 wrote to memory of 368	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	3
PID 1916 wrote to memory of 368	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	3
PID 1916 wrote to memory of 368	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	3
PID 1916 wrote to memory of 368	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	3
PID 1916 wrote to memory of 368	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	3
PID 1916 wrote to memory of 384	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	2
PID 1916 wrote to memory of 384	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	2
PID 1916 wrote to memory of 384	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	2
PID 1916 wrote to memory of 384	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	2
PID 1916 wrote to memory of 384	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	2
PID 1916 wrote to memory of 420	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	1
PID 1916 wrote to memory of 420	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	1
PID 1916 wrote to memory of 420	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	1
PID 1916 wrote to memory of 420	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	1
PID 1916 wrote to memory of 420	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	1
PID 1916 wrote to memory of 464	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	6
PID 1916 wrote to memory of 464	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	6
PID 1916 wrote to memory of 464	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	6
PID 1916 wrote to memory of 464	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	6
PID 1916 wrote to memory of 464	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	6
PID 1916 wrote to memory of 480	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	7
PID 1916 wrote to memory of 480	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	7
PID 1916 wrote to memory of 480	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	7
PID 1916 wrote to memory of 480	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	7
PID 1916 wrote to memory of 480	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	7
PID 1916 wrote to memory of 488	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	8
PID 1916 wrote to memory of 488	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	8
PID 1916 wrote to memory of 488	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	8
PID 1916 wrote to memory of 488	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	8
PID 1916 wrote to memory of 488	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	8
PID 1916 wrote to memory of 596	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	27
PID 1916 wrote to memory of 596	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	27
PID 1916 wrote to memory of 596	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	27
PID 1916 wrote to memory of 596	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	27
PID 1916 wrote to memory of 596	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	27
PID 1916 wrote to memory of 672	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	26
PID 1916 wrote to memory of 672	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	26
PID 1916 wrote to memory of 672	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	26
PID 1916 wrote to memory of 672	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	26
PID 1916 wrote to memory of 672	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	26
PID 1916 wrote to memory of 748	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	25
PID 1916 wrote to memory of 748	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	25
PID 1916 wrote to memory of 748	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	25
PID 1916 wrote to memory of 748	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	25
PID 1916 wrote to memory of 748	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	25
PID 1916 wrote to memory of 812	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	24
PID 1916 wrote to memory of 812	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	24
PID 1916 wrote to memory of 812	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	24
PID 1916 wrote to memory of 812	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	24
PID 1916 wrote to memory of 812	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	24
PID 1916 wrote to memory of 856	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	23
PID 1916 wrote to memory of 856	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	23
PID 1916 wrote to memory of 856	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	23
PID 1916 wrote to memory of 856	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	23
PID 1916 wrote to memory of 856	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	23
PID 1916 wrote to memory of 880	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	22
PID 1916 wrote to memory of 880	1916	6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe	22

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1640
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1124
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1088
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1028
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:364
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:880
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:856
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1956

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
  "C:\Users\Admin\AppData\Local\Temp\6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe
    "C:\Users\Admin\AppData\Local\Temp\6ed927855d8f30d096512f61b034a3f1835b5080b36b6f9530e1583f8a763999.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1916

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-61-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1916-58-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download
memory/1916-59-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/1952-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1952-55-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download
memory/1952-60-0x0000000000720000-0x000000000074A000-memory.dmp

Filesize
168KB

Download
memory/1952-63-0x000000007EFA0000-0x000000007EFA8000-memory.dmp

Filesize
32KB

Download
memory/1952-64-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download