642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa

Analysis

max time kernel
70s
max time network
183s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08-06-2023 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa.exe
Size

981KB
MD5

ba485dc2ff67d3439dcbc7bc2452b7b8
SHA1

4d87976a1e93bd57d50a4d39f4596912d2b16f5a
SHA256

642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa
SHA512

6d6a5a350314d354e5d2d9dc0ce09a06a0ee37a3a7d10a00d133f8f0b954c0535598056cb49492d0bc7d086421c2cf76a11413eb73760dcc8d4f68fd925cb466
SSDEEP

24576:0NA3R5drX/WqqAmP5+bUULNprjD+Xw5QFfQah3Z9QbNh:V5OqzmB+bprjv5OQah3ZqbNh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4868	cglwharps.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegSvcs = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\""	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 3724	4868	cglwharps.exe	69

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1372	4868	WerFault.exe	66

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4348	schtasks.exe
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
772	powershell.exe
772	powershell.exe
772	powershell.exe
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4868	4136	642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa.exe	66
PID 4136 wrote to memory of 4868	4136	642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa.exe	66
PID 4136 wrote to memory of 4868	4136	642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa.exe	66
PID 4868 wrote to memory of 3724	4868	cglwharps.exe	69
PID 4868 wrote to memory of 3724	4868	cglwharps.exe	69
PID 4868 wrote to memory of 3724	4868	cglwharps.exe	69
PID 4868 wrote to memory of 3724	4868	cglwharps.exe	69
PID 4868 wrote to memory of 3724	4868	cglwharps.exe	69
PID 3724 wrote to memory of 772	3724	RegSvcs.exe	72
PID 3724 wrote to memory of 772	3724	RegSvcs.exe	72
PID 3724 wrote to memory of 772	3724	RegSvcs.exe	72
PID 772 wrote to memory of 1900	772	powershell.exe	74
PID 772 wrote to memory of 1900	772	powershell.exe	74
PID 772 wrote to memory of 1900	772	powershell.exe	74
PID 3724 wrote to memory of 4348	3724	RegSvcs.exe	76
PID 3724 wrote to memory of 4348	3724	RegSvcs.exe	76
PID 3724 wrote to memory of 4348	3724	RegSvcs.exe	76
PID 3724 wrote to memory of 4684	3724	RegSvcs.exe	77
PID 3724 wrote to memory of 4684	3724	RegSvcs.exe	77
PID 3724 wrote to memory of 4684	3724	RegSvcs.exe	77
PID 3724 wrote to memory of 4004	3724	RegSvcs.exe	80
PID 3724 wrote to memory of 4004	3724	RegSvcs.exe	80
PID 3724 wrote to memory of 4004	3724	RegSvcs.exe	80

C:\Users\Admin\AppData\Local\Temp\642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa.exe
"C:\Users\Admin\AppData\Local\Temp\642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\Temp\cglwharps.exe
  "C:\Windows\Temp\cglwharps.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "Start-Process <#eqivbydxqolh#> powershell <#eqivbydxqolh#> -Verb <#eqivbydxqolh#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 11:44 /f /tn InternetExplorerTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"
      4⤵
      Creates scheduled task(s)
      PID:4348
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4684
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 11:44 /f /tn "RegSvcs" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Creates scheduled task(s)
      PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 148
    3⤵
    - Program crash
    PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
394e9741f4478de614b5a851fe30b359

SHA1
a86e979f852c656a12dfb7273e91bbe3111bff17

SHA256
5974ec41904130d9e7574f35a5da677b0bcc31a4d4365436e83a5afd20873149

SHA512
2efa1a70012dae4ff5f8450d6223913ab91480c61794ddbdca01932079fd6a184f66924896bb01a4d70c35e042bb99604c684c5f149e1ef2aa9a1eaa16796073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
10eaae8938d08db162f4c6cb51f651dc

SHA1
df0866f7c6632e61de64fd372274df72837f4895

SHA256
9a58e0b600d5ed0356e5706084e7971438431b750c73a53cd3495b1e615c287d

SHA512
96c13cd1c4241d232ebd331cc95ed76d7ad530d09b79c306533c65e376714f85606402ebc707c55034281c00cb3bb6503c045775c78a326ab40be5df32637efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vn4lvsid.xqi.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\Temp\cglwharps.exe

Filesize
2.0MB

MD5
3a687bf782b0844d6efcc1ba1086feee

SHA1
47803f1f08371fbe4963e7457b73404970c6538f

SHA256
29ffb708d7829f0b72243e9cd896a55c826240e415df338630b205f9f7962fba

SHA512
37b4bcb29637efa3897db1d6409149b6044f2295a1f80e92d7c00d46c09b68424bc356db94377540d86ac36e219b2ac62c3ed8b621434e86a2772138a1bccb5a

Download Submit
C:\Windows\Temp\cglwharps.exe

Filesize
2.0MB

MD5
3a687bf782b0844d6efcc1ba1086feee

SHA1
47803f1f08371fbe4963e7457b73404970c6538f

SHA256
29ffb708d7829f0b72243e9cd896a55c826240e415df338630b205f9f7962fba

SHA512
37b4bcb29637efa3897db1d6409149b6044f2295a1f80e92d7c00d46c09b68424bc356db94377540d86ac36e219b2ac62c3ed8b621434e86a2772138a1bccb5a

Download Submit
memory/772-310-0x0000000007E50000-0x0000000007E9B000-memory.dmp

Filesize
300KB

Download
memory/772-309-0x0000000007790000-0x00000000077AC000-memory.dmp

Filesize
112KB

Download
memory/772-302-0x0000000006D70000-0x0000000007398000-memory.dmp

Filesize
6.2MB

Download
memory/772-303-0x0000000006AE0000-0x0000000006B02000-memory.dmp

Filesize
136KB

Download
memory/772-304-0x00000000073A0000-0x0000000007406000-memory.dmp

Filesize
408KB

Download
memory/772-305-0x0000000006CF0000-0x0000000006D56000-memory.dmp

Filesize
408KB

Download
memory/772-306-0x0000000007420000-0x0000000007770000-memory.dmp

Filesize
3.3MB

Download
memory/772-307-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/772-308-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/772-301-0x0000000000C00000-0x0000000000C36000-memory.dmp

Filesize
216KB

Download
memory/772-311-0x0000000007B70000-0x0000000007BE6000-memory.dmp

Filesize
472KB

Download
memory/772-329-0x0000000009280000-0x000000000977E000-memory.dmp

Filesize
5.0MB

Download
memory/772-328-0x00000000089C0000-0x00000000089E2000-memory.dmp

Filesize
136KB

Download
memory/772-327-0x0000000008970000-0x000000000898A000-memory.dmp

Filesize
104KB

Download
memory/772-326-0x0000000008A10000-0x0000000008AA4000-memory.dmp

Filesize
592KB

Download
memory/1900-706-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/1900-688-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/1900-721-0x000000007F570000-0x000000007F580000-memory.dmp

Filesize
64KB

Download
memory/1900-654-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/1900-653-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/1900-351-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/1900-352-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/1900-361-0x0000000009BE0000-0x0000000009C13000-memory.dmp

Filesize
204KB

Download
memory/1900-362-0x000000007F570000-0x000000007F580000-memory.dmp

Filesize
64KB

Download
memory/1900-363-0x0000000009BC0000-0x0000000009BDE000-memory.dmp

Filesize
120KB

Download
memory/1900-368-0x0000000009D20000-0x0000000009DC5000-memory.dmp

Filesize
660KB

Download
memory/1900-378-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/3724-153-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-159-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-165-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-167-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-168-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-166-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-169-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-170-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-171-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-172-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-173-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-174-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-175-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-176-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-177-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-178-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-179-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-180-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-181-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-182-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-183-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-184-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-185-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-186-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-187-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-188-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-189-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-163-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-162-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-161-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-160-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-164-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-158-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-157-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-156-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-154-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-155-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-152-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-151-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-150-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-149-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-148-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-146-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-147-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-145-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-143-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-144-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-142-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-141-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-140-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-139-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-138-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-126-0x0000000000500000-0x0000000000627000-memory.dmp

Filesize
1.2MB

Download
memory/3724-133-0x0000000000500000-0x0000000000627000-memory.dmp

Filesize
1.2MB

Download
memory/3724-134-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-135-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-137-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/3724-136-0x000000007E5A0000-0x000000007E5B0000-memory.dmp

Filesize
64KB

Download
memory/4684-520-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/4684-517-0x000000007EAC0000-0x000000007EAD0000-memory.dmp

Filesize
64KB

Download
memory/4684-456-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/4684-455-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download