37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Size

325KB
MD5

9a94953874acd465d88fa206b7345e30
SHA1

1cb7b0e8406d58137fc474527de266602a56a077
SHA256

37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1
SHA512

b1e6e9819a56e15f03dc9f3760a1e0d36d72ea20e16f49a7ed3ec79c2ea1b20b701a1065ad0d2f611c17b020b47dee2a196dccf2015bc37fbe6bcdd4c593e94b
SSDEEP

6144:OFq4nHcdPGhy6W7i7zR6itxuP9e6JhRxVyit4DfiYw+o5Pa5:OFq4nHcdehgWvRtHk9e6bfbYa7k

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1072	ssss.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3G4L2686-J4L1-X5MV-12RE-JFH5V38F5030}	ssss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3G4L2686-J4L1-X5MV-12RE-JFH5V38F5030}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ssss.exe Restart"	ssss.exe

Loads dropped DLL 1 IoCs

pid	Process
1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	ssss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xcrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ssss.exe"	ssss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ssss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xdocx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ssss.exe"	ssss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1072	ssss.exe
1072	ssss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: 33	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeIncBasePriorityPrivilege	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: 33	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeIncBasePriorityPrivilege	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: 33	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeIncBasePriorityPrivilege	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: 33	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeIncBasePriorityPrivilege	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeDebugPrivilege	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: 33	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeIncBasePriorityPrivilege	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
Token: SeDebugPrivilege	1072	ssss.exe
Token: SeDebugPrivilege	1072	ssss.exe
Token: SeDebugPrivilege	1072	ssss.exe
Token: SeDebugPrivilege	1072	ssss.exe
Token: SeDebugPrivilege	1072	ssss.exe
Token: SeDebugPrivilege	1072	ssss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1104 wrote to memory of 1072	1104	37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe	27
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28
PID 1072 wrote to memory of 1192	1072	ssss.exe	28

C:\Users\Admin\AppData\Local\Temp\37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe
"C:\Users\Admin\AppData\Local\Temp\37878d91dfae1dcd872bb01e5f26ff52248d3730b01b2e24136e8d2ee19e76f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\ssss.exe_v322A05A9\TheApp\STUBEXE\@APPDATALOCAL@\Temp\ssss.exe
  C:\Users\Admin\AppData\Local\Temp\ssss.exe
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\ssss.exe_v322A05A9\TheApp\STUBEXE\@APPDATALOCAL@\Temp\ssss.exe

Filesize
16KB

MD5
b9fb166600486b6a7926053bc9f88c98

SHA1
54d264f73e3aa49d67c3d6f4eb2d5080dc3afec1

SHA256
e18f02750275fedd46d9077f27381d1ce2af512e7950f4130b8b495a4ca52518

SHA512
052e5730ccfde687f1b6e5e2340b0c873061e5f5d6ada0a2744ee6017f0f2c03f0e8240a4e8e991c0c93fd004c0e1aee0d9f1b07a654f749310a528fb89ebe76

Download Submit
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\ssss.exe_v322A05A9\TheApp\STUBEXE\@APPDATALOCAL@\Temp\ssss.exe

Filesize
16KB

MD5
b9fb166600486b6a7926053bc9f88c98

SHA1
54d264f73e3aa49d67c3d6f4eb2d5080dc3afec1

SHA256
e18f02750275fedd46d9077f27381d1ce2af512e7950f4130b8b495a4ca52518

SHA512
052e5730ccfde687f1b6e5e2340b0c873061e5f5d6ada0a2744ee6017f0f2c03f0e8240a4e8e991c0c93fd004c0e1aee0d9f1b07a654f749310a528fb89ebe76

Download Submit
memory/1072-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-327-0x00000000004087D0-mapping.dmp

Download
memory/1104-115-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-107-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-67-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-69-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-71-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-73-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-75-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-79-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-87-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-89-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-97-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-99-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-103-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-105-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-109-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-113-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-117-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-55-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-111-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-65-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-101-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-95-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-93-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-91-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-85-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-83-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-81-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-77-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-301-0x00000000002DB000-0x00000000002DD000-memory.dmp

Filesize
8KB

Download
memory/1104-303-0x00000000002D9000-0x00000000002DB000-memory.dmp

Filesize
8KB

Download
memory/1104-299-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-63-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-61-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-59-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-331-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-332-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1104-333-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-57-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1104-54-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download