f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f

Analysis

max time kernel
151s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe
Size

13KB
MD5

434a5d16e2daf22b54ff639c5c5a9014
SHA1

c8d777eb8b27af2cabeb3c3d3f994fd2d549493c
SHA256

f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f
SHA512

2e0a6af786ed83a106322244b48bd49e87910ada671f607a4d0da53a46504dfadeb4a0b6c51168f47f5cf6cfffe811f46d42dc008319044ca03021655de754be
SSDEEP

192:2tzYAc8d2M2dww2yvRGQ51iq10spXtNz/Vvo4AbvzJQhbjpBS1mbDAVlDRh:yzYi01RGOQsbNvU2

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360Soft = "C:\\Windows\\system32\\scvhost.exe"	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2844	sc.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3924	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	80
PID 2188 wrote to memory of 3924	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	80
PID 2188 wrote to memory of 3924	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	80
PID 2188 wrote to memory of 1628	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	82
PID 2188 wrote to memory of 1628	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	82
PID 2188 wrote to memory of 1628	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	82
PID 3924 wrote to memory of 1896	3924	cmd.exe	84
PID 3924 wrote to memory of 1896	3924	cmd.exe	84
PID 3924 wrote to memory of 1896	3924	cmd.exe	84
PID 1628 wrote to memory of 5108	1628	cmd.exe	85
PID 1628 wrote to memory of 5108	1628	cmd.exe	85
PID 1628 wrote to memory of 5108	1628	cmd.exe	85
PID 2188 wrote to memory of 4332	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	86
PID 2188 wrote to memory of 4332	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	86
PID 2188 wrote to memory of 4332	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	86
PID 4332 wrote to memory of 2396	4332	cmd.exe	88
PID 4332 wrote to memory of 2396	4332	cmd.exe	88
PID 4332 wrote to memory of 2396	4332	cmd.exe	88
PID 2188 wrote to memory of 1680	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	89
PID 2188 wrote to memory of 1680	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	89
PID 2188 wrote to memory of 1680	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	89
PID 1680 wrote to memory of 4216	1680	cmd.exe	91
PID 1680 wrote to memory of 4216	1680	cmd.exe	91
PID 1680 wrote to memory of 4216	1680	cmd.exe	91
PID 2396 wrote to memory of 1112	2396	net.exe	93
PID 2396 wrote to memory of 1112	2396	net.exe	93
PID 2396 wrote to memory of 1112	2396	net.exe	93
PID 2188 wrote to memory of 4132	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	92
PID 2188 wrote to memory of 4132	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	92
PID 2188 wrote to memory of 4132	2188	f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe	92
PID 4216 wrote to memory of 620	4216	net.exe	94
PID 4216 wrote to memory of 620	4216	net.exe	94
PID 4216 wrote to memory of 620	4216	net.exe	94
PID 4132 wrote to memory of 2844	4132	cmd.exe	96
PID 4132 wrote to memory of 2844	4132	cmd.exe	96
PID 4132 wrote to memory of 2844	4132	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe
"C:\Users\Admin\AppData\Local\Temp\f5d31c5c72cf3db0a3df79e0fa8777463103233cd0c54a7e4e5b82d871dece6f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opeCE13.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit