97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

Analysis

max time kernel
146s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Size

30KB
MD5

a4417609b23e1bd346c08396c6cf725d
SHA1

7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6
SHA256

97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4
SHA512

28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d
SSDEEP

384:FyE4zNF732Z7wehjhW0wKaoM9X6wfXiOQIp1LxlZnbJgmeshh7nUpwkhcPj6M+fS:FyE4zNFcwp0ZgMiXzx3nVgkUplM+cZ

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msjxcs.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msjxcs.com"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\StubPath = "C:\\Windows\\system32\\msxnns.com"	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1344-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-57.dat	upx
behavioral1/files/0x0007000000005c50-59.dat	upx
behavioral1/files/0x000a000000013445-60.dat	upx
behavioral1/memory/1344-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1740-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1740-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
728	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxnns.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File opened for modification	C:\Windows\SysWOW64\msxnns.com	svchost.exe
File created	C:\Windows\SysWOW64\msxnns.com	svchost.exe
File created	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\msxnns.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\msjxcs.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File created	C:\Windows\msagent\msjxcs.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\msagent\msjxcs.com	svchost.exe
File created	C:\Windows\msagent\msjxcs.com	svchost.exe
File opened for modification	C:\Windows\svchost.exe	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File created	C:\Windows\svchost.exe	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1740	svchost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSecurityPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeTakeOwnershipPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeLoadDriverPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSystemProfilePrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSystemtimePrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeProfSingleProcessPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeIncBasePriorityPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeCreatePagefilePrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeBackupPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeRestorePrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeShutdownPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeDebugPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSystemEnvironmentPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeRemoteShutdownPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeUndockPrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeManageVolumePrivilege	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 33	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 34	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 35	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeIncreaseQuotaPrivilege	1740	svchost.exe
Token: SeSecurityPrivilege	1740	svchost.exe
Token: SeTakeOwnershipPrivilege	1740	svchost.exe
Token: SeLoadDriverPrivilege	1740	svchost.exe
Token: SeSystemProfilePrivilege	1740	svchost.exe
Token: SeSystemtimePrivilege	1740	svchost.exe
Token: SeProfSingleProcessPrivilege	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe
Token: SeCreatePagefilePrivilege	1740	svchost.exe
Token: SeBackupPrivilege	1740	svchost.exe
Token: SeRestorePrivilege	1740	svchost.exe
Token: SeShutdownPrivilege	1740	svchost.exe
Token: SeDebugPrivilege	1740	svchost.exe
Token: SeSystemEnvironmentPrivilege	1740	svchost.exe
Token: SeRemoteShutdownPrivilege	1740	svchost.exe
Token: SeUndockPrivilege	1740	svchost.exe
Token: SeManageVolumePrivilege	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: 34	1740	svchost.exe
Token: 35	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe
Token: 33	1740	svchost.exe
Token: SeIncBasePriorityPrivilege	1740	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1740	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	26
PID 1344 wrote to memory of 1740	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	26
PID 1344 wrote to memory of 1740	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	26
PID 1344 wrote to memory of 1740	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	26
PID 1344 wrote to memory of 728	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	27
PID 1344 wrote to memory of 728	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	27
PID 1344 wrote to memory of 728	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	27
PID 1344 wrote to memory of 728	1344	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	27

C:\Users\Admin\AppData\Local\Temp\97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
"C:\Users\Admin\AppData\Local\Temp\97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\#3#.bat
  2⤵
  - Deletes itself
  PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\#3#.bat

Filesize
244B

MD5
1ae5b8aca0b8a0a0fa33db395f6d51db

SHA1
dec7bb5c3b158f94f17ea4c07d2154fbff541e74

SHA256
33a53d31276790ecbe20262f5651a41762ddcdb403fe40416650b5d6d10d0de4

SHA512
219a704f8dcf8cbc91dcc8b700fe088977bbc99c8f55adb5a068fdf9a392adb5f90430be2ff086d36f6d86cd2e6128dfb9f5a2ad55b2ab503cabea1856b53529

Download Submit
C:\Windows\SysWOW64\msxnns.com

Filesize
30KB

MD5
a4417609b23e1bd346c08396c6cf725d

SHA1
7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6

SHA256
97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

SHA512
28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d

Download Submit
C:\Windows\svchost.exe

Filesize
30KB

MD5
a4417609b23e1bd346c08396c6cf725d

SHA1
7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6

SHA256
97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

SHA512
28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d

Download Submit
C:\Windows\svchost.exe

Filesize
30KB

MD5
a4417609b23e1bd346c08396c6cf725d

SHA1
7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6

SHA256
97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

SHA512
28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d

Download Submit
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1344-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1344-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1740-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1740-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads