b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd

Analysis

max time kernel
133s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
Size

586KB
MD5

3f990390dc8abd28588e1b2c064dcab0
SHA1

a53aa1f5b33531846bcc2370a0b7a74523a285d4
SHA256

b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd
SHA512

b65691bffd82dfc8254ba32559623d5ef0493e034d7f79693fdd0bb62cce11755135b0caddfb8a0d8f9840f0554326849c22532fc1845c41f739418276fc8fec
SSDEEP

12288:dkSEug8eF4vEIaF82hdnWZPkGygCreEyetj9pDBbt1z:uZ8ey5aCqaCreBelFz

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2036	mscorsvw.exe
464	Process not Found
2016	mscorsvw.exe
1776	mscorsvw.exe
556	dllhost.exe

Loads dropped DLL 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0"	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000	dllhost.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\dllhost.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\alg.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\fxssvc.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D750C7F2-5AA2-469E-831F-BA4894B576FB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D750C7F2-5AA2-469E-831F-BA4894B576FB}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1504	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
Token: SeTakeOwnershipPrivilege	2016	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	556	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
"C:\Users\Admin\AppData\Local\Temp\b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
a8877d014bb1664698cfd10df967e944

SHA1
b55746c4ca01f2c014461bd009e6cc8a96ec21d9

SHA256
794bcc556b2e63f584ca9b90f58fc44973d4db16d7d48f6362eee31bba35d665

SHA512
edae88a0c34a943c432b15391d4ce059319124f20d67d0cced6593cf828d70c14e4eea1a5390996bfddbc5c464c67b7b96c32ede7a348c03ef82c2dedefe9f70

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
a8877d014bb1664698cfd10df967e944

SHA1
b55746c4ca01f2c014461bd009e6cc8a96ec21d9

SHA256
794bcc556b2e63f584ca9b90f58fc44973d4db16d7d48f6362eee31bba35d665

SHA512
edae88a0c34a943c432b15391d4ce059319124f20d67d0cced6593cf828d70c14e4eea1a5390996bfddbc5c464c67b7b96c32ede7a348c03ef82c2dedefe9f70

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
c14acc9c02452703bca545a3b3644934

SHA1
8ce3a028529f3a5f4582d19b0d51669659153ec0

SHA256
6e408a3a13e5f67bc6da172b4214b5b215386d52959de442d247ce3d7ef298b0

SHA512
912d1701e5e2ecc96f5f16434d136541fe15eaf644c7dedde22dcc16e0dad9508235602ab4b83e4f413088480eecc7813c211c94e96c256648c2200ce4fe1353

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
c14acc9c02452703bca545a3b3644934

SHA1
8ce3a028529f3a5f4582d19b0d51669659153ec0

SHA256
6e408a3a13e5f67bc6da172b4214b5b215386d52959de442d247ce3d7ef298b0

SHA512
912d1701e5e2ecc96f5f16434d136541fe15eaf644c7dedde22dcc16e0dad9508235602ab4b83e4f413088480eecc7813c211c94e96c256648c2200ce4fe1353

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
b058afd58eaf8ce510275775ee0e5e1d

SHA1
60046e39fc5884ea974cab2e248cba87eee1311f

SHA256
31b4c253586d79fc7ead07a7a124035dfe3ac606fc4497f56941e6e3448df17c

SHA512
6b0be8c031964d06bb2b29936b42e07cd5845d2fcc71efc6b47fb580121dc43e9b5cb589fb2c36c98342226772092050bec8d60ef6a0835dec909e1c7bc5a343

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
517KB

MD5
74eee536fdbf8f9087a294fbf028af2d

SHA1
b550465ef2690769ed74d872ee05f5dd87a87f99

SHA256
efbb3ba5231f3c3c8bfee66f4c762aff2a2b2f45c5bbb437d6b3df545ae9ebdf

SHA512
12ef832ec535f91712696a742923ea3e05fd42d75d895947aede92f32fc002d8a39af32bb7062f67abc30a885db6f0635cf82dbb6411cbf5731d1fe7c953b294

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
544KB

MD5
c945df818858008d6c8ed64863a12716

SHA1
2cc8c25b2e8225e4721721a6c36df44ab50802b4

SHA256
296f2147fa736adb4f1d419158c46f6b67b2baa9e535cdcb893db194bb4774ef

SHA512
e4417fd6ecb4571b0e08cff24ed13164343301ebbd2e563fcbb8eb55b8a40f5dd8b7e7e120e4fc132f529d6c9815c4e61776b8dad1f544a692f67d0b6f4b0b20

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
618KB

MD5
281010e41329756481ca2eea98810c30

SHA1
c9386b3bb3bc09af7906a4721f288ae3250b2841

SHA256
a8141204f18ae7899f167ef3b226429c7b836a8316fbaa7366d3a143414d71d2

SHA512
6ea7978f384f81a4ee19d360c37a477a86732ff0fbc398f6667c327ec1dff5950bdd9252665cb0113e5b27effa848b0860bf57e9379d581fc692f5ae713ae223

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
b058afd58eaf8ce510275775ee0e5e1d

SHA1
60046e39fc5884ea974cab2e248cba87eee1311f

SHA256
31b4c253586d79fc7ead07a7a124035dfe3ac606fc4497f56941e6e3448df17c

SHA512
6b0be8c031964d06bb2b29936b42e07cd5845d2fcc71efc6b47fb580121dc43e9b5cb589fb2c36c98342226772092050bec8d60ef6a0835dec909e1c7bc5a343

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
585KB

MD5
b9b7386406a6af50f324fa0145a0315a

SHA1
935e1fe943de753e1ba6d5a24fdec987ac0670a9

SHA256
81de252c33b3aae9404fc9cdd601e1bc9444195cf9ef8d9d43d8c5c4893140b6

SHA512
3cac7f707820d5d68fa2667f03e752d9f2149660c2e3fc6b95effc0e8a17139c286fe6d550eb3494892812e1ec57ad9385ca789312d9ab6edb83522e9849d8cf

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
a8877d014bb1664698cfd10df967e944

SHA1
b55746c4ca01f2c014461bd009e6cc8a96ec21d9

SHA256
794bcc556b2e63f584ca9b90f58fc44973d4db16d7d48f6362eee31bba35d665

SHA512
edae88a0c34a943c432b15391d4ce059319124f20d67d0cced6593cf828d70c14e4eea1a5390996bfddbc5c464c67b7b96c32ede7a348c03ef82c2dedefe9f70

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
a8877d014bb1664698cfd10df967e944

SHA1
b55746c4ca01f2c014461bd009e6cc8a96ec21d9

SHA256
794bcc556b2e63f584ca9b90f58fc44973d4db16d7d48f6362eee31bba35d665

SHA512
edae88a0c34a943c432b15391d4ce059319124f20d67d0cced6593cf828d70c14e4eea1a5390996bfddbc5c464c67b7b96c32ede7a348c03ef82c2dedefe9f70

Download Submit
\Windows\System32\dllhost.exe

Filesize
517KB

MD5
74eee536fdbf8f9087a294fbf028af2d

SHA1
b550465ef2690769ed74d872ee05f5dd87a87f99

SHA256
efbb3ba5231f3c3c8bfee66f4c762aff2a2b2f45c5bbb437d6b3df545ae9ebdf

SHA512
12ef832ec535f91712696a742923ea3e05fd42d75d895947aede92f32fc002d8a39af32bb7062f67abc30a885db6f0635cf82dbb6411cbf5731d1fe7c953b294

Download Submit
\Windows\System32\dllhost.exe

Filesize
517KB

MD5
74eee536fdbf8f9087a294fbf028af2d

SHA1
b550465ef2690769ed74d872ee05f5dd87a87f99

SHA256
efbb3ba5231f3c3c8bfee66f4c762aff2a2b2f45c5bbb437d6b3df545ae9ebdf

SHA512
12ef832ec535f91712696a742923ea3e05fd42d75d895947aede92f32fc002d8a39af32bb7062f67abc30a885db6f0635cf82dbb6411cbf5731d1fe7c953b294

Download Submit
memory/556-76-0x0000000100000000-0x00000001001C9000-memory.dmp

Filesize
1.8MB

Download
memory/556-77-0x0000000100000000-0x00000001001C9000-memory.dmp

Filesize
1.8MB

Download
memory/1504-54-0x0000000001000000-0x00000000011CF000-memory.dmp

Filesize
1.8MB

Download
memory/1504-56-0x0000000001000000-0x00000000011CF000-memory.dmp

Filesize
1.8MB

Download
memory/1504-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1776-70-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2016-65-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2016-71-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2016-64-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2036-59-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download