3cdcea5fb50eb5b7450980b52a83b9daa34520f9c412dfb4c176d660e4d7a57e

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e521852fe5a4fce46911788277c70a216a72ec.exe
Size

71KB
MD5

b70f94056f9f1e4944a266f503de837b
SHA1

16e521852fe5a4fce46911788277c70a216a72ec
SHA256

3cdcea5fb50eb5b7450980b52a83b9daa34520f9c412dfb4c176d660e4d7a57e
SHA512

29aa0bbbeac5f3229f664efe9e7b9493dc55b63c290d6f63ee3eeb9d76ea6f1557c97152d6e05aa9596091885d9b49b7a3806a4ceac9a552871763ae0d8ea3ed
SSDEEP

1536:FNxU+W+73uSpoo3e/8+dcr2yS79apBQ6OW/EQ6RRR+N:NU+W+qNo3e9Sy/Raw6O/Q6RRRK

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\\\services.exe"	16e521852fe5a4fce46911788277c70a216a72ec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnra30 = "C:\\Windows\\system32\\.exe"	16e521852fe5a4fce46911788277c70a216a72ec.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\†\netdhcp.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File opened for modification	C:\Windows\SysWOW64\†\netdhcp.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File created	C:\Windows\SysWOW64\†\scservice.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File opened for modification	C:\Windows\SysWOW64\†\tnra30.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File created	C:\Windows\SysWOW64\†\servicess.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File opened for modification	C:\Windows\SysWOW64\†\servicess.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File created	C:\Windows\SysWOW64\†\mirror.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File opened for modification	C:\Windows\SysWOW64\†\mirror.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File opened for modification	C:\Windows\SysWOW64\†	16e521852fe5a4fce46911788277c70a216a72ec.exe
File opened for modification	C:\Windows\SysWOW64\†\scservice.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe
File created	C:\Windows\SysWOW64\†\tnra30.exe	16e521852fe5a4fce46911788277c70a216a72ec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	16e521852fe5a4fce46911788277c70a216a72ec.exe

C:\Users\Admin\AppData\Local\Temp\16e521852fe5a4fce46911788277c70a216a72ec.exe
"C:\Users\Admin\AppData\Local\Temp\16e521852fe5a4fce46911788277c70a216a72ec.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads