fed161ae617fd483308f66110a4b43594e39602c7ba11dbb7fb6e79fd6f4fbbf

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

42KB
MD5

fea015b6e2f3c5dfed94fbd3935fb365
SHA1

0ab3ccbef0de345f6fc3edb3e0320f77ddfa4255
SHA256

fed161ae617fd483308f66110a4b43594e39602c7ba11dbb7fb6e79fd6f4fbbf
SHA512

f237b3fcf5292271fd0801db18a5d94215d405265999d68e7f071d243b02876f49e8b94150e70ef5a17e5fe14d9c3d9faee8f28efd58bcd918e1e8d9e6dbdcf1
SSDEEP

768:JOIW7du3neRXZHxjim11Nvw4/bTTay0CE5qb4rafFf9:JOdu3nIPR11R/bTTarefFf9

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	file.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 1332	912	file.exe	44

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1008	1332	WerFault.exe	44

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
912	file.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	file.exe
Token: SeDebugPrivilege	912	file.exe
Token: SeLoadDriverPrivilege	912	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 660	912	file.exe	28
PID 912 wrote to memory of 660	912	file.exe	28
PID 912 wrote to memory of 660	912	file.exe	28
PID 912 wrote to memory of 1428	912	file.exe	29
PID 912 wrote to memory of 1428	912	file.exe	29
PID 912 wrote to memory of 1428	912	file.exe	29
PID 912 wrote to memory of 1424	912	file.exe	30
PID 912 wrote to memory of 1424	912	file.exe	30
PID 912 wrote to memory of 1424	912	file.exe	30
PID 912 wrote to memory of 1160	912	file.exe	31
PID 912 wrote to memory of 1160	912	file.exe	31
PID 912 wrote to memory of 1160	912	file.exe	31
PID 912 wrote to memory of 520	912	file.exe	32
PID 912 wrote to memory of 520	912	file.exe	32
PID 912 wrote to memory of 520	912	file.exe	32
PID 912 wrote to memory of 872	912	file.exe	33
PID 912 wrote to memory of 872	912	file.exe	33
PID 912 wrote to memory of 872	912	file.exe	33
PID 912 wrote to memory of 1088	912	file.exe	34
PID 912 wrote to memory of 1088	912	file.exe	34
PID 912 wrote to memory of 1088	912	file.exe	34
PID 912 wrote to memory of 1472	912	file.exe	35
PID 912 wrote to memory of 1472	912	file.exe	35
PID 912 wrote to memory of 1472	912	file.exe	35
PID 912 wrote to memory of 1776	912	file.exe	36
PID 912 wrote to memory of 1776	912	file.exe	36
PID 912 wrote to memory of 1776	912	file.exe	36
PID 912 wrote to memory of 868	912	file.exe	37
PID 912 wrote to memory of 868	912	file.exe	37
PID 912 wrote to memory of 868	912	file.exe	37
PID 912 wrote to memory of 864	912	file.exe	38
PID 912 wrote to memory of 864	912	file.exe	38
PID 912 wrote to memory of 864	912	file.exe	38
PID 912 wrote to memory of 976	912	file.exe	42
PID 912 wrote to memory of 976	912	file.exe	42
PID 912 wrote to memory of 976	912	file.exe	42
PID 912 wrote to memory of 1592	912	file.exe	39
PID 912 wrote to memory of 1592	912	file.exe	39
PID 912 wrote to memory of 1592	912	file.exe	39
PID 912 wrote to memory of 1104	912	file.exe	40
PID 912 wrote to memory of 1104	912	file.exe	40
PID 912 wrote to memory of 1104	912	file.exe	40
PID 912 wrote to memory of 1056	912	file.exe	41
PID 912 wrote to memory of 1056	912	file.exe	41
PID 912 wrote to memory of 1056	912	file.exe	41
PID 912 wrote to memory of 1512	912	file.exe	43
PID 912 wrote to memory of 1512	912	file.exe	43
PID 912 wrote to memory of 1512	912	file.exe	43
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 912 wrote to memory of 1332	912	file.exe	44
PID 1332 wrote to memory of 1008	1332	Setup.exe	45
PID 1332 wrote to memory of 1008	1332	Setup.exe	45

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 304
    3⤵
    - Program crash
    PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-54-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/912-55-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/912-56-0x000000001B120000-0x000000001B198000-memory.dmp

Filesize
480KB

Download
memory/1332-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download