b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7

Analysis

max time kernel
134s
max time network
57s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe
Size

158KB
MD5

e0b0fe2c3aaf8ef8feeeb6d14e212520
SHA1

0206b7ea5dff7d49207ec3e80e95dc65704ebf93
SHA256

b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7
SHA512

9bee761cc95d21877a77acd96e01290da65b09ebc534ed6b5bf44f4a33309fd99bca7e0e479e1bba006654980db710ed09ef1f86982abd9d4c912921d2a3aebf
SSDEEP

3072:b+xiEXGEUf60dNmQ3difEYSkpIzeNhlSpRt4hBH+qAdAcuTtBB/:0i28y0dd3dqEpoh0pRt4H+Zd0TPN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
688	msvcrt.exe
576	msvcrt.exe

Deletes itself 1 IoCs

pid	Process
1132	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe
1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\msvcrt_ = "C:\\Users\\Admin\\AppData\\Roaming\\Ms_dir_\\msvcrt.exe"	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 688 set thread context of 576	688	msvcrt.exe	32

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
576	msvcrt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	msvcrt.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1736 wrote to memory of 1672	1736	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	28
PID 1672 wrote to memory of 688	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	31
PID 1672 wrote to memory of 688	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	31
PID 1672 wrote to memory of 688	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	31
PID 1672 wrote to memory of 688	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	31
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 688 wrote to memory of 576	688	msvcrt.exe	32
PID 1672 wrote to memory of 1132	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	33
PID 1672 wrote to memory of 1132	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	33
PID 1672 wrote to memory of 1132	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	33
PID 1672 wrote to memory of 1132	1672	b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe	33

C:\Users\Admin\AppData\Local\Temp\b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe
"C:\Users\Admin\AppData\Local\Temp\b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736
- \??\c:\users\admin\appdata\local\temp\b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe
  "c:\users\admin\appdata\local\temp\b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\Ms_dir_\msvcrt.exe
    C:\Users\Admin\AppData\Roaming\Ms_dir_\msvcrt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:688
  - - \??\c:\users\admin\appdata\roaming\ms_dir_\msvcrt.exe
      "c:\users\admin\appdata\roaming\ms_dir_\msvcrt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:576
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Deletes itself
    PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ms_dir_\msvcrt.exe

Filesize
158KB

MD5
e0b0fe2c3aaf8ef8feeeb6d14e212520

SHA1
0206b7ea5dff7d49207ec3e80e95dc65704ebf93

SHA256
b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7

SHA512
9bee761cc95d21877a77acd96e01290da65b09ebc534ed6b5bf44f4a33309fd99bca7e0e479e1bba006654980db710ed09ef1f86982abd9d4c912921d2a3aebf

Download Submit
C:\Users\Admin\AppData\Roaming\Ms_dir_\msvcrt.exe

Filesize
158KB

MD5
e0b0fe2c3aaf8ef8feeeb6d14e212520

SHA1
0206b7ea5dff7d49207ec3e80e95dc65704ebf93

SHA256
b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7

SHA512
9bee761cc95d21877a77acd96e01290da65b09ebc534ed6b5bf44f4a33309fd99bca7e0e479e1bba006654980db710ed09ef1f86982abd9d4c912921d2a3aebf

Download Submit
\??\c:\users\admin\appdata\roaming\ms_dir_\msvcrt.exe

Filesize
158KB

MD5
e0b0fe2c3aaf8ef8feeeb6d14e212520

SHA1
0206b7ea5dff7d49207ec3e80e95dc65704ebf93

SHA256
b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7

SHA512
9bee761cc95d21877a77acd96e01290da65b09ebc534ed6b5bf44f4a33309fd99bca7e0e479e1bba006654980db710ed09ef1f86982abd9d4c912921d2a3aebf

Download Submit
\Users\Admin\AppData\Roaming\Ms_dir_\msvcrt.exe

Filesize
158KB

MD5
e0b0fe2c3aaf8ef8feeeb6d14e212520

SHA1
0206b7ea5dff7d49207ec3e80e95dc65704ebf93

SHA256
b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7

SHA512
9bee761cc95d21877a77acd96e01290da65b09ebc534ed6b5bf44f4a33309fd99bca7e0e479e1bba006654980db710ed09ef1f86982abd9d4c912921d2a3aebf

Download Submit
\Users\Admin\AppData\Roaming\Ms_dir_\msvcrt.exe

Filesize
158KB

MD5
e0b0fe2c3aaf8ef8feeeb6d14e212520

SHA1
0206b7ea5dff7d49207ec3e80e95dc65704ebf93

SHA256
b30e5281e4d7ed0193570d4308d048c76a6a6c84ffc87db47936978b42a5d0f7

SHA512
9bee761cc95d21877a77acd96e01290da65b09ebc534ed6b5bf44f4a33309fd99bca7e0e479e1bba006654980db710ed09ef1f86982abd9d4c912921d2a3aebf

Download Submit
memory/576-87-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-65-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1672-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download