27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc

Analysis

max time kernel
141s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 15:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe
Size

122KB
MD5

056823ce33b70d6f88574997744c9320
SHA1

6cb063e8c7f557426652b264ddd4068cf7d0bc0c
SHA256

27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc
SHA512

fec4503a9f34da3623df2f5aa4872c84563602cb7562e3fd0a7f575cd58083273de9d879c305efe77188d59f64952b44b4affac870cc3a950fdf9930311d3a37
SSDEEP

3072:BCflOgMfgs5+oOgMfgs5UoOgMfgs5YoH7ESz5f2mu:BOlhds9hds/hdstHVN+mu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2032	alg.exe
1176	config.exe
1424	conime.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host = "C:\\Windows\\Host.exe"	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Host.exe	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe
File opened for modification	C:\Windows\Host.exe	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2032	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	27
PID 1940 wrote to memory of 2032	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	27
PID 1940 wrote to memory of 2032	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	27
PID 1940 wrote to memory of 2032	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	27
PID 1940 wrote to memory of 1176	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	28
PID 1940 wrote to memory of 1176	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	28
PID 1940 wrote to memory of 1176	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	28
PID 1940 wrote to memory of 1176	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	28
PID 1940 wrote to memory of 1424	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	29
PID 1940 wrote to memory of 1424	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	29
PID 1940 wrote to memory of 1424	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	29
PID 1940 wrote to memory of 1424	1940	27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe	29

C:\Users\Admin\AppData\Local\Temp\27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe
"C:\Users\Admin\AppData\Local\Temp\27fb67a89cc8d0450dba11cdee64d5761d8931ff034e3b8bed62cba55fc605fc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\alg.exe
  C:\alg.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\config.exe
  C:\config.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\conime.exe
  C:\conime.exe
  2⤵
  - Executes dropped EXE
  PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\alg.exe

Filesize
31KB

MD5
2d4475bd79be5e70db541918b3f63ab6

SHA1
aec2a0cdbcb428697d2dbe70559d4c91a3fc19ad

SHA256
47f2b5f36bbde070fa1b4eda1f2d4d81efa17b439a4bd8782ed8b35804943133

SHA512
fd0feec8665ce3b93d2b088906da3710ffb42f9c963cb663a6d5c1ab83cd486a6e2b6ea18a686cf8f1b0ce2d520e1f5cd097cfb37f780d2d56c06b004f0ca489

Download Submit
C:\config.exe

Filesize
31KB

MD5
bd3c04ef5ef45cd54f09b3169d32a022

SHA1
37c4cd0e74902778f0f9cb5c089b3b6f22b03546

SHA256
e0e62247b750b8d2273218f1f30bbaf9102b74a358cd4d84e3e4e5cc0b2b3736

SHA512
6a1433a87d98c94f0b4d6e09849753b014e0e7bf9583ebcbdb6e866f06b5da54ce21a218a129f3af4bb25d6a0f978e7074bdd457a2bdfb121e8f28c5215b1c4e

Download Submit
C:\conime.exe

Filesize
31KB

MD5
9f489e9525c061f4c173d495a202e3da

SHA1
f816002a845f07928271e414c0ecad98ecaf1ab1

SHA256
fe0dfc7f88a89653e055d93f21a5b9f2a2d362f5e28aca9d2231a4210c922ddf

SHA512
63161e0a0bad0dcf2f6cc6a09ffca6b578dfc349dd3bf209b53dc646f1e7f701db876aba71c67c9401eba9ec82030373d41b556ec199687259248c6f9e35487d

Download Submit
memory/1940-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2032-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download