b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe
Size

13KB
MD5

0ebd51f064e3849df82269f88864eae0
SHA1

2ee47047e9534c76b49807aaa0dfad1b79002eca
SHA256

b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218
SHA512

1eb9580fa6f6c65080cef20974c23cfdc9a6424d610db62376f8352445974299a192d6f7f182bc2d85aa4f71c59246bdbe7f10e907704657131acc88e76d77ea
SSDEEP

192:CFuzLRhI8dQzI3wxADwQ5s4Y1Uf08TXtNzcJajvo4AbvzJQhbjpBS1mbDAVlDRh:/zLvrT9wnFZ2bcgvU2

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360Soft = "C:\\Windows\\system32\\scvhost.exe"	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4692	sc.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 4292	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	80
PID 1144 wrote to memory of 4292	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	80
PID 1144 wrote to memory of 4292	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	80
PID 4292 wrote to memory of 4680	4292	cmd.exe	82
PID 4292 wrote to memory of 4680	4292	cmd.exe	82
PID 4292 wrote to memory of 4680	4292	cmd.exe	82
PID 1144 wrote to memory of 3324	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	83
PID 1144 wrote to memory of 3324	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	83
PID 1144 wrote to memory of 3324	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	83
PID 3324 wrote to memory of 5096	3324	cmd.exe	85
PID 3324 wrote to memory of 5096	3324	cmd.exe	85
PID 3324 wrote to memory of 5096	3324	cmd.exe	85
PID 1144 wrote to memory of 3816	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	86
PID 1144 wrote to memory of 3816	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	86
PID 1144 wrote to memory of 3816	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	86
PID 3816 wrote to memory of 1384	3816	cmd.exe	88
PID 3816 wrote to memory of 1384	3816	cmd.exe	88
PID 3816 wrote to memory of 1384	3816	cmd.exe	88
PID 1384 wrote to memory of 2072	1384	net.exe	89
PID 1384 wrote to memory of 2072	1384	net.exe	89
PID 1384 wrote to memory of 2072	1384	net.exe	89
PID 1144 wrote to memory of 1112	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	90
PID 1144 wrote to memory of 1112	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	90
PID 1144 wrote to memory of 1112	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	90
PID 1112 wrote to memory of 1912	1112	cmd.exe	92
PID 1112 wrote to memory of 1912	1112	cmd.exe	92
PID 1112 wrote to memory of 1912	1112	cmd.exe	92
PID 1912 wrote to memory of 1900	1912	net.exe	93
PID 1912 wrote to memory of 1900	1912	net.exe	93
PID 1912 wrote to memory of 1900	1912	net.exe	93
PID 1144 wrote to memory of 4884	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	94
PID 1144 wrote to memory of 4884	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	94
PID 1144 wrote to memory of 4884	1144	b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe	94
PID 4884 wrote to memory of 4692	4884	cmd.exe	96
PID 4884 wrote to memory of 4692	4884	cmd.exe	96
PID 4884 wrote to memory of 4692	4884	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe
"C:\Users\Admin\AppData\Local\Temp\b42e1d3653a9becdedd9b18d0bbc9fcef2443781b02178ac27f2867ffb805218.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ope7360.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit