65bd5068031a515b1ab783dffdfda01504d9b94eeb6aae4938bf7665ef472748

Analysis

max time kernel
84s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2023, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.5MB
MD5

8e927abc6ac43a6637c02ecbbef15f93
SHA1

1924b436f12da17695e5367082c3ede9e3003dea
SHA256

65bd5068031a515b1ab783dffdfda01504d9b94eeb6aae4938bf7665ef472748
SHA512

dff478fc8fdba762fe85dd5b35943de5783db3df460bda5f1b239ff58469e36a4162344761d866b980920bc10cc28fce07c5d3ff8e3fcdca4f4be57bc5542f87
SSDEEP

49152:pwS3we1zgOPav416L6+0Ih+iwrO19hAeBnVmoEuGFiPYDg5jX5G:pwS3we1zlPav416LdlBVejFo75jXM

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{864CC587-9711-40E7-9AEA-B4CB78273238}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E9519C2C-CDBA-451F-8B47-B1F80AAC8143}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1372	860	file.exe	83
PID 860 wrote to memory of 1372	860	file.exe	83
PID 860 wrote to memory of 1372	860	file.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3056

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuCF5B.tmp

Filesize
36KB

MD5
761388ca8095173f6963b1d23ad8a68b

SHA1
41e2693d0efc36cb0b97ea215d554932c46464ab

SHA256
369a2323cb569b44970884d5af3d70e38c9cfb59a54d929fabb51ba46593aa06

SHA512
2db4576927b4325dc51ce1755d55b00f7153a10424ca79fb7f32f8c92a5dec899c3961b44a15a129f1e5234b53a89c8946192703b88b10e70e86670e5831ebdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuD376.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
93b2bfd9603b45816370dce3a8f0c9dc

SHA1
5a4ecdeb547210b113ec5527bd91dad577bf5ee2

SHA256
2dfab32898c55fdc9a115db4b82caf3f6a67adffe11d8e4bb111679bdd2359c5

SHA512
06085a2b865b8020ded8b94adee29c1a668dc53fed6cb0805debd7cb5d45720e5da050f7a7ef88b8c85fc0ee2a3fa0467b58219ee4aac761e45e89178ccd85f4

Download Submit