f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6

Analysis

max time kernel
218s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 15:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe
Size

116KB
MD5

f2666441d6f1a268fdcb1b09959f279b
SHA1

afa809465499282af2564292b4f127527bd9ded2
SHA256

f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6
SHA512

5d9cc569d1c4de02c757c82509d7f7601214ca4349712510df65f81dc6b168205973f7735618bee25f024c0827ad2c07c067e527c68179cf29251031f21acf64
SSDEEP

3072:+Gu9BlfzWIbXWm+w0JU5o1fdNvdv0zywUxC8t+3nT:+/0uot1VizrDL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4620	Éú³É.Exe
220	svchest1164.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Éú³É.Exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchest1164.exe = "C:\\Program Files\\Common Files\\svchest1164.exe"	Éú³É.Exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\svchest1164.exe	Éú³É.Exe
File created	C:\Program Files\svchest.exe	svchest1164.exe
File created	C:\Program Files\Common Files\svchest1164.exe	Éú³É.Exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3092	taskkill.exe
1032	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe
220	svchest1164.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 4620	3020	f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe	82
PID 3020 wrote to memory of 4620	3020	f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe	82
PID 3020 wrote to memory of 4620	3020	f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe	82
PID 4620 wrote to memory of 1032	4620	Éú³É.Exe	83
PID 4620 wrote to memory of 1032	4620	Éú³É.Exe	83
PID 4620 wrote to memory of 1032	4620	Éú³É.Exe	83
PID 4620 wrote to memory of 220	4620	Éú³É.Exe	85
PID 4620 wrote to memory of 220	4620	Éú³É.Exe	85
PID 4620 wrote to memory of 220	4620	Éú³É.Exe	85
PID 220 wrote to memory of 3092	220	svchest1164.exe	86
PID 220 wrote to memory of 3092	220	svchest1164.exe	86
PID 220 wrote to memory of 3092	220	svchest1164.exe	86

C:\Users\Admin\AppData\Local\Temp\f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe
"C:\Users\Admin\AppData\Local\Temp\f2a1958e76611c58b10dfd2fa7f81194dbf7aad08ecac96981e201f438e5f1e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éú³É.Exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éú³É.Exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ksafetray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Program Files\Common Files\svchest1164.exe
    "C:\Program Files\Common Files\svchest1164.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\svchest1164.exe

Filesize
31.1MB

MD5
07e48e62fb5b2d4027c04c3f2f5e58e8

SHA1
a1f2bf3f4a4b1a652944fcb419e0de699e4805c4

SHA256
3c12d40e564dc8cd4cc7e3e91dd7670adf0a0ee8d177460f71a5424c5821b6e5

SHA512
6b1adbb867425972e8f63c18bf7009c751c36cabe56e46e2dae067bc1808457df313f260ecac28ef83e147b9d19ebe1074cd58fdc6bba895261eefa8d7d2497c

Download Submit
C:\Program Files\Common Files\svchest1164.exe

Filesize
31.1MB

MD5
07e48e62fb5b2d4027c04c3f2f5e58e8

SHA1
a1f2bf3f4a4b1a652944fcb419e0de699e4805c4

SHA256
3c12d40e564dc8cd4cc7e3e91dd7670adf0a0ee8d177460f71a5424c5821b6e5

SHA512
6b1adbb867425972e8f63c18bf7009c751c36cabe56e46e2dae067bc1808457df313f260ecac28ef83e147b9d19ebe1074cd58fdc6bba895261eefa8d7d2497c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éú³É.Exe

Filesize
141KB

MD5
cd9e6dfdd449b62763b4ee7a348b6ee1

SHA1
95af07b574ba2010131b7afe4d99f607aa72fe1a

SHA256
8e1aa0623db3a22de55403c168b9c57e96ffe88b63131f77c59ef702fc1ae58e

SHA512
3effcb86c4044859110148b7329a648e81b1cbfc8aa20c52df4ded91ec22e7c11d8861ce84f6bb71df761a4cd7ba259836dd08d67aaada4a1c801abe88ee2687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éú³É.Exe

Filesize
141KB

MD5
cd9e6dfdd449b62763b4ee7a348b6ee1

SHA1
95af07b574ba2010131b7afe4d99f607aa72fe1a

SHA256
8e1aa0623db3a22de55403c168b9c57e96ffe88b63131f77c59ef702fc1ae58e

SHA512
3effcb86c4044859110148b7329a648e81b1cbfc8aa20c52df4ded91ec22e7c11d8861ce84f6bb71df761a4cd7ba259836dd08d67aaada4a1c801abe88ee2687

Download Submit