97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

Analysis

max time kernel
161s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Size

30KB
MD5

a4417609b23e1bd346c08396c6cf725d
SHA1

7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6
SHA256

97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4
SHA512

28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d
SSDEEP

384:FyE4zNF732Z7wehjhW0wKaoM9X6wfXiOQIp1LxlZnbJgmeshh7nUpwkhcPj6M+fS:FyE4zNFcwp0ZgMiXzx3nVgkUplM+cZ

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msjxcs.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msjxcs.com"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4904	svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\StubPath = "C:\\Windows\\system32\\msxnns.com"	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0001000000022e0d-134.dat	upx
behavioral2/files/0x0001000000022e0d-135.dat	upx
behavioral2/files/0x0001000000022e0e-137.dat	upx
behavioral2/memory/4904-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4872-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4904-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxnns.com	svchost.exe
File created	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\msxnns.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File created	C:\Windows\SysWOW64\msxnns.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File opened for modification	C:\Windows\SysWOW64\msxnns.com	svchost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\msagent\msjxcs.com	svchost.exe
File opened for modification	C:\Windows\svchost.exe	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File created	C:\Windows\svchost.exe	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File opened for modification	C:\Windows\msagent\msjxcs.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File created	C:\Windows\msagent\msjxcs.com	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\msagent\msjxcs.com	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4904	svchost.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSecurityPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeTakeOwnershipPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeLoadDriverPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSystemProfilePrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSystemtimePrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeProfSingleProcessPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeIncBasePriorityPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeCreatePagefilePrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeBackupPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeRestorePrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeShutdownPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeDebugPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeSystemEnvironmentPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeRemoteShutdownPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeUndockPrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeManageVolumePrivilege	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 33	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 34	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 35	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: 36	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
Token: SeIncreaseQuotaPrivilege	4904	svchost.exe
Token: SeSecurityPrivilege	4904	svchost.exe
Token: SeTakeOwnershipPrivilege	4904	svchost.exe
Token: SeLoadDriverPrivilege	4904	svchost.exe
Token: SeSystemProfilePrivilege	4904	svchost.exe
Token: SeSystemtimePrivilege	4904	svchost.exe
Token: SeProfSingleProcessPrivilege	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe
Token: SeCreatePagefilePrivilege	4904	svchost.exe
Token: SeBackupPrivilege	4904	svchost.exe
Token: SeRestorePrivilege	4904	svchost.exe
Token: SeShutdownPrivilege	4904	svchost.exe
Token: SeDebugPrivilege	4904	svchost.exe
Token: SeSystemEnvironmentPrivilege	4904	svchost.exe
Token: SeRemoteShutdownPrivilege	4904	svchost.exe
Token: SeUndockPrivilege	4904	svchost.exe
Token: SeManageVolumePrivilege	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: 34	4904	svchost.exe
Token: 35	4904	svchost.exe
Token: 36	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe
Token: 33	4904	svchost.exe
Token: SeIncBasePriorityPrivilege	4904	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4904	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4904	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	80
PID 4872 wrote to memory of 4904	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	80
PID 4872 wrote to memory of 4904	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	80
PID 4872 wrote to memory of 1916	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	81
PID 4872 wrote to memory of 1916	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	81
PID 4872 wrote to memory of 1916	4872	97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe	81

C:\Users\Admin\AppData\Local\Temp\97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe
"C:\Users\Admin\AppData\Local\Temp\97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\#3#.bat
  2⤵
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\#3#.bat

Filesize
244B

MD5
1ae5b8aca0b8a0a0fa33db395f6d51db

SHA1
dec7bb5c3b158f94f17ea4c07d2154fbff541e74

SHA256
33a53d31276790ecbe20262f5651a41762ddcdb403fe40416650b5d6d10d0de4

SHA512
219a704f8dcf8cbc91dcc8b700fe088977bbc99c8f55adb5a068fdf9a392adb5f90430be2ff086d36f6d86cd2e6128dfb9f5a2ad55b2ab503cabea1856b53529

Download Submit
C:\Windows\SysWOW64\msxnns.com

Filesize
30KB

MD5
a4417609b23e1bd346c08396c6cf725d

SHA1
7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6

SHA256
97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

SHA512
28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d

Download Submit
C:\Windows\svchost.exe

Filesize
30KB

MD5
a4417609b23e1bd346c08396c6cf725d

SHA1
7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6

SHA256
97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

SHA512
28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d

Download Submit
C:\Windows\svchost.exe

Filesize
30KB

MD5
a4417609b23e1bd346c08396c6cf725d

SHA1
7d8c643cf5ee9a54a2bc6816c5f9fc466f9b16f6

SHA256
97842334b8f2f7909185756487d9f621b20bf240fdfe2219e51818e364856da4

SHA512
28f8a44f89428f80a3011117d033db7754ef8ce1e7414ac8a3ed58c1dcb960b5438c0d448f00ec9eb483c47b8ecb0ec585d4c7a04e3273715de3287ac2d87f8d

Download Submit
memory/4872-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4872-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4904-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4904-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads