be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504

Analysis

max time kernel
147s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/06/2023, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe
Size

37KB
MD5

5a27aa4197d981f11fd3f92e012f3cc1
SHA1

10a94707b788f64cd683b0e6fb2511b2df6da18f
SHA256

be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504
SHA512

8282e539c09a413f57816b2b63fb661edbd68914b3b848e67dcba1fdb2517a92cb333a48594af52adb6761f1c5815119dc2fa9f9f72739a514823ccddc838f54
SSDEEP

768:rr0q7cCi87fYxVxNo1A1W6+VYspAvCjOCNewWJ:rAlU0VxCHVAvkZ3WJ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1532	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1200	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 1888	1532	svchost.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1760	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1244	timeout.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe
1888	SetupUtility.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe
Token: SeDebugPrivilege	1532	svchost.exe
Token: SeDebugPrivilege	1888	SetupUtility.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 672	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe	27
PID 1712 wrote to memory of 672	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe	27
PID 1712 wrote to memory of 672	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe	27
PID 1712 wrote to memory of 1200	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe	29
PID 1712 wrote to memory of 1200	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe	29
PID 1712 wrote to memory of 1200	1712	be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe	29
PID 672 wrote to memory of 1760	672	cmd.exe	31
PID 672 wrote to memory of 1760	672	cmd.exe	31
PID 672 wrote to memory of 1760	672	cmd.exe	31
PID 1200 wrote to memory of 1244	1200	cmd.exe	32
PID 1200 wrote to memory of 1244	1200	cmd.exe	32
PID 1200 wrote to memory of 1244	1200	cmd.exe	32
PID 1200 wrote to memory of 1532	1200	cmd.exe	33
PID 1200 wrote to memory of 1532	1200	cmd.exe	33
PID 1200 wrote to memory of 1532	1200	cmd.exe	33
PID 1532 wrote to memory of 1728	1532	svchost.exe	34
PID 1532 wrote to memory of 1728	1532	svchost.exe	34
PID 1532 wrote to memory of 1728	1532	svchost.exe	34
PID 1532 wrote to memory of 1304	1532	svchost.exe	35
PID 1532 wrote to memory of 1304	1532	svchost.exe	35
PID 1532 wrote to memory of 1304	1532	svchost.exe	35
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36
PID 1532 wrote to memory of 1888	1532	svchost.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe
"C:\Users\Admin\AppData\Local\Temp\be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1760
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3988.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1244
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      4⤵
      PID:1728
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
      4⤵
      PID:1304
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3988.tmp.bat

Filesize
151B

MD5
a2e44aaa6e96498479d89a516f5f82d6

SHA1
0073bfc369f22699dd9e86e0214d2f9755c3c73b

SHA256
d5ddbaab81a7a8443abb968b1755ff91b9cddef1e1fab846aaf81f76967db376

SHA512
7b2938f3daf9530ec4ac4242b73289f38262cbad0ac8d98308a9dbd69a59b16bab8a6fe74f3915fbe07245db35a801747924774da67e5ae31e82a8eab049e0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3988.tmp.bat

Filesize
151B

MD5
a2e44aaa6e96498479d89a516f5f82d6

SHA1
0073bfc369f22699dd9e86e0214d2f9755c3c73b

SHA256
d5ddbaab81a7a8443abb968b1755ff91b9cddef1e1fab846aaf81f76967db376

SHA512
7b2938f3daf9530ec4ac4242b73289f38262cbad0ac8d98308a9dbd69a59b16bab8a6fe74f3915fbe07245db35a801747924774da67e5ae31e82a8eab049e0a5

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
5a27aa4197d981f11fd3f92e012f3cc1

SHA1
10a94707b788f64cd683b0e6fb2511b2df6da18f

SHA256
be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504

SHA512
8282e539c09a413f57816b2b63fb661edbd68914b3b848e67dcba1fdb2517a92cb333a48594af52adb6761f1c5815119dc2fa9f9f72739a514823ccddc838f54

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
5a27aa4197d981f11fd3f92e012f3cc1

SHA1
10a94707b788f64cd683b0e6fb2511b2df6da18f

SHA256
be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504

SHA512
8282e539c09a413f57816b2b63fb661edbd68914b3b848e67dcba1fdb2517a92cb333a48594af52adb6761f1c5815119dc2fa9f9f72739a514823ccddc838f54

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
5a27aa4197d981f11fd3f92e012f3cc1

SHA1
10a94707b788f64cd683b0e6fb2511b2df6da18f

SHA256
be2b36a1fd8d91f9c86043b1afa8a87acbc935d6087d0ed2e565ddcf4f7c9504

SHA512
8282e539c09a413f57816b2b63fb661edbd68914b3b848e67dcba1fdb2517a92cb333a48594af52adb6761f1c5815119dc2fa9f9f72739a514823ccddc838f54

Download Submit
memory/1532-70-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1532-71-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/1712-56-0x0000000002090000-0x0000000002104000-memory.dmp

Filesize
464KB

Download
memory/1712-54-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/1712-55-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1888-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-74-0x0000000002280000-0x0000000002583000-memory.dmp

Filesize
3.0MB

Download
memory/1888-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download