f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe
Size

13KB
MD5

987bd385501bfecf6aeac037cd2e9db3
SHA1

15afff57b6054870a572775677be5cdbdb716e6e
SHA256

f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f
SHA512

c87f5011f069823f7b8ba52bef259ee2a4be640cfa60e0b974c6f26ddf8f2883a666ac467b13f8efd56d1d09be39d4ead240136a4eb5491d6cf4706a7f0d039d
SSDEEP

192:CFvzLRhI8dQzI3wxADwQ5s4Y1Uf08TXtNzcJajvo4AbvzJQhbjpBS1mbDAVlDRh:qzLvrT9wnFZ2bcgvU2

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360Soft = "C:\\Windows\\system32\\scvhost.exe"	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4292	sc.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3720	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	80
PID 4176 wrote to memory of 3720	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	80
PID 4176 wrote to memory of 3720	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	80
PID 4176 wrote to memory of 3988	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	82
PID 4176 wrote to memory of 3988	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	82
PID 4176 wrote to memory of 3988	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	82
PID 3720 wrote to memory of 4112	3720	cmd.exe	84
PID 3720 wrote to memory of 4112	3720	cmd.exe	84
PID 3720 wrote to memory of 4112	3720	cmd.exe	84
PID 3988 wrote to memory of 3592	3988	cmd.exe	85
PID 3988 wrote to memory of 3592	3988	cmd.exe	85
PID 3988 wrote to memory of 3592	3988	cmd.exe	85
PID 4176 wrote to memory of 4368	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	86
PID 4176 wrote to memory of 4368	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	86
PID 4176 wrote to memory of 4368	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	86
PID 4368 wrote to memory of 932	4368	cmd.exe	88
PID 4368 wrote to memory of 932	4368	cmd.exe	88
PID 4368 wrote to memory of 932	4368	cmd.exe	88
PID 4176 wrote to memory of 1460	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	89
PID 4176 wrote to memory of 1460	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	89
PID 4176 wrote to memory of 1460	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	89
PID 932 wrote to memory of 1540	932	net.exe	90
PID 932 wrote to memory of 1540	932	net.exe	90
PID 932 wrote to memory of 1540	932	net.exe	90
PID 1460 wrote to memory of 4768	1460	cmd.exe	92
PID 1460 wrote to memory of 4768	1460	cmd.exe	92
PID 1460 wrote to memory of 4768	1460	cmd.exe	92
PID 4768 wrote to memory of 4748	4768	net.exe	93
PID 4768 wrote to memory of 4748	4768	net.exe	93
PID 4768 wrote to memory of 4748	4768	net.exe	93
PID 4176 wrote to memory of 4992	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	94
PID 4176 wrote to memory of 4992	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	94
PID 4176 wrote to memory of 4992	4176	f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe	94
PID 4992 wrote to memory of 4292	4992	cmd.exe	96
PID 4992 wrote to memory of 4292	4992	cmd.exe	96
PID 4992 wrote to memory of 4292	4992	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe
"C:\Users\Admin\AppData\Local\Temp\f249467b760dc8b6d1112eef31eea7ed66d87b56908f0314971994d99410e09f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ope8E79.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit