b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db

Analysis

max time kernel
149s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Size

33KB
MD5

8dc3c09152f151d2018ca2eb2dc805a6
SHA1

4021b68aba14f166ed8956057e9bc2e2e7b6c866
SHA256

b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db
SHA512

2ef5edafb53fb1309b1b80a800eb750511ad67d819bf0f5a4ad26302358a94bed79a85db2835892287614fde9919ab1c3b325c4315f0654427b2867c20164e2c
SSDEEP

768:FyE4zNFcwp0ZgMiXzx3nVgkUplM+6ojqG:FxGLtMeQjDjqG

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\mstwcr.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\mstwcr.com"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000a00000001331d-57.dat	upx
behavioral1/files/0x000a00000001331d-59.dat	upx
behavioral1/memory/1216-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1152-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1152-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1216-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1056	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mslg.blf	svchost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\msagent\mstwcr.com	svchost.exe
File opened for modification	C:\Windows\svchost.exe	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
File created	C:\Windows\svchost.exe	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
File opened for modification	C:\Windows\msagent\mstwcr.com	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
File created	C:\Windows\msagent\mstwcr.com	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\msagent\mstwcr.com	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe
1216	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	svchost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeSecurityPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeTakeOwnershipPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeLoadDriverPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeSystemProfilePrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeSystemtimePrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeProfSingleProcessPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeIncBasePriorityPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeCreatePagefilePrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeBackupPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeRestorePrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeShutdownPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeDebugPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeSystemEnvironmentPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeRemoteShutdownPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeUndockPrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeManageVolumePrivilege	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: 33	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: 34	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: 35	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
Token: SeIncreaseQuotaPrivilege	1216	svchost.exe
Token: SeSecurityPrivilege	1216	svchost.exe
Token: SeTakeOwnershipPrivilege	1216	svchost.exe
Token: SeLoadDriverPrivilege	1216	svchost.exe
Token: SeSystemProfilePrivilege	1216	svchost.exe
Token: SeSystemtimePrivilege	1216	svchost.exe
Token: SeProfSingleProcessPrivilege	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe
Token: SeCreatePagefilePrivilege	1216	svchost.exe
Token: SeBackupPrivilege	1216	svchost.exe
Token: SeRestorePrivilege	1216	svchost.exe
Token: SeShutdownPrivilege	1216	svchost.exe
Token: SeDebugPrivilege	1216	svchost.exe
Token: SeSystemEnvironmentPrivilege	1216	svchost.exe
Token: SeRemoteShutdownPrivilege	1216	svchost.exe
Token: SeUndockPrivilege	1216	svchost.exe
Token: SeManageVolumePrivilege	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: 34	1216	svchost.exe
Token: 35	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe
Token: 33	1216	svchost.exe
Token: SeIncBasePriorityPrivilege	1216	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1216	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	28
PID 1152 wrote to memory of 1216	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	28
PID 1152 wrote to memory of 1216	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	28
PID 1152 wrote to memory of 1216	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	28
PID 1152 wrote to memory of 1056	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	29
PID 1152 wrote to memory of 1056	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	29
PID 1152 wrote to memory of 1056	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	29
PID 1152 wrote to memory of 1056	1152	b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe	29

C:\Users\Admin\AppData\Local\Temp\b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe
"C:\Users\Admin\AppData\Local\Temp\b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\#3#.bat
  2⤵
  - Deletes itself
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\#3#.bat

Filesize
244B

MD5
8178264b3aec8c151eefd57f63c5e8fd

SHA1
61050295e1e30a45d5ae2c8af998f948a13a76fd

SHA256
cb6d3dad6c58696485a5bf488c0d35e01d2d1e2367ee85a4569d55d8f5f25911

SHA512
369c293844b4004e45adb14aa326baab2a5d2d38e219256f6e44145b5f6d48c80f7ffeb2265f55fb425bdf2fe5a347345c6832c444a240dc7714388000b5e3d2

Download Submit
C:\Windows\svchost.exe

Filesize
33KB

MD5
8dc3c09152f151d2018ca2eb2dc805a6

SHA1
4021b68aba14f166ed8956057e9bc2e2e7b6c866

SHA256
b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db

SHA512
2ef5edafb53fb1309b1b80a800eb750511ad67d819bf0f5a4ad26302358a94bed79a85db2835892287614fde9919ab1c3b325c4315f0654427b2867c20164e2c

Download Submit
C:\Windows\svchost.exe

Filesize
33KB

MD5
8dc3c09152f151d2018ca2eb2dc805a6

SHA1
4021b68aba14f166ed8956057e9bc2e2e7b6c866

SHA256
b12e8e407b75da2d7511ff9fc8b4331491242561d6a7bb6f4279483c777918db

SHA512
2ef5edafb53fb1309b1b80a800eb750511ad67d819bf0f5a4ad26302358a94bed79a85db2835892287614fde9919ab1c3b325c4315f0654427b2867c20164e2c

Download Submit
memory/1056-63-0x0000000000000000-mapping.dmp

Download
memory/1152-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1152-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-60-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1152-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1216-56-0x0000000000000000-mapping.dmp

Download
memory/1216-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1216-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download