5ac3619566ff131100970cb38317af15c0c67ee29582e2ad634c2f4b1a6e8103

Analysis

max time kernel
37s
max time network
96s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe
Size

2.7MB
MD5

59bdfeadc9becdab96fe6110bd33ef9c
SHA1

33a4738eae2b0bae7f374398753a67d8e9f6ff52
SHA256

d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221
SHA512

484314e4dbaaf42cf5977a01243679dd24febd0f6edd3f3d0a2849981cd17cf9424ce36fba4848db0bb8dff40d0e780756c74fa3882efcc88d6db3461f6c2c4f
SSDEEP

12288:xoIuuRsY3/TwC7yA3bgH19Ay74Rcd6ijNqnW8feIX5GgvkUH7WEuQxXXTpr5qTYx:xDWHagHQk4agijNq6Eu8pn9yC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
580	HVPIO.exe

Loads dropped DLL 1 IoCs

pid	Process
812	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1652	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
108	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
620	powershell.exe
1528	powershell.exe
680	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	580	HVPIO.exe
Token: SeDebugPrivilege	680	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1528	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	28
PID 1520 wrote to memory of 1528	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	28
PID 1520 wrote to memory of 1528	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	28
PID 1520 wrote to memory of 620	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	29
PID 1520 wrote to memory of 620	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	29
PID 1520 wrote to memory of 620	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	29
PID 1520 wrote to memory of 812	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	32
PID 1520 wrote to memory of 812	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	32
PID 1520 wrote to memory of 812	1520	d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe	32
PID 812 wrote to memory of 108	812	cmd.exe	34
PID 812 wrote to memory of 108	812	cmd.exe	34
PID 812 wrote to memory of 108	812	cmd.exe	34
PID 812 wrote to memory of 580	812	cmd.exe	35
PID 812 wrote to memory of 580	812	cmd.exe	35
PID 812 wrote to memory of 580	812	cmd.exe	35
PID 580 wrote to memory of 680	580	HVPIO.exe	36
PID 580 wrote to memory of 680	580	HVPIO.exe	36
PID 580 wrote to memory of 680	580	HVPIO.exe	36
PID 580 wrote to memory of 1864	580	HVPIO.exe	37
PID 580 wrote to memory of 1864	580	HVPIO.exe	37
PID 580 wrote to memory of 1864	580	HVPIO.exe	37
PID 580 wrote to memory of 1136	580	HVPIO.exe	40
PID 580 wrote to memory of 1136	580	HVPIO.exe	40
PID 580 wrote to memory of 1136	580	HVPIO.exe	40

C:\Users\Admin\AppData\Local\Temp\d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe
"C:\Users\Admin\AppData\Local\Temp\d224dfde2a5b1d9d11cf216aadcc86cf33364aa44d8b76d8528d14183900e221.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp79C3.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:108
- - C:\ProgramData\Timeupper\HVPIO.exe
    "C:\ProgramData\Timeupper\HVPIO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      PID:1864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HVPIO" /tr "C:\ProgramData\Timeupper\HVPIO.exe"
      4⤵
      PID:1136
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HVPIO" /tr "C:\ProgramData\Timeupper\HVPIO.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Timeupper\HVPIO.exe

Filesize
591.4MB

MD5
632e486b71daa4940fbcb7d99ccd251c

SHA1
a124a51fb6a6146949c6cedd82672d405de43aee

SHA256
db1098b60cf5369346870a01ed55d833b543710f2c47d0302a08896abb88ae1d

SHA512
e5268297cc92fff0ee4383fa61a779d232df0aab8ea0d2da6671655555d085caca8ff3805e0bebd5d8bbef9499561e99dbc0074b860c2698838eb8372fdb0806

Download Submit
C:\ProgramData\Timeupper\HVPIO.exe

Filesize
627.1MB

MD5
1fcc06e749b7e70b61abf309eb88eb65

SHA1
8ffdf62f6352135f9e93faa2448be25d023f40c4

SHA256
ffc7b3b3b4ce66ce6288f6cd886c339d910f723c91d37cf7b87bfd423c0287e0

SHA512
511937662bf2187801cbf703b486b1d3dce5c4ff42c2f03b66b2372a6cb443ad07898a7289ed31c9e18f38328e7cb0ed2ba1699c664b1cf32594102fa6627eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79C3.tmp.bat

Filesize
143B

MD5
00095f19a268275299905bc3ad57643a

SHA1
e52e386f5916d7e50c4dea22ad9a4fecea4e811e

SHA256
8f5d53c2db59da4fcb82021eeaf1ff414018706b585a2efce054ad77914862e8

SHA512
e2a52e7d44bdf3c91698a42811ae7b35ddb4dbae971536e54d035ba5d3c07c7661941d0b59bc3771dc63d24f4bdda33e8c811d70a548025deeca0e29941eb6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79C3.tmp.bat

Filesize
143B

MD5
00095f19a268275299905bc3ad57643a

SHA1
e52e386f5916d7e50c4dea22ad9a4fecea4e811e

SHA256
8f5d53c2db59da4fcb82021eeaf1ff414018706b585a2efce054ad77914862e8

SHA512
e2a52e7d44bdf3c91698a42811ae7b35ddb4dbae971536e54d035ba5d3c07c7661941d0b59bc3771dc63d24f4bdda33e8c811d70a548025deeca0e29941eb6e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a3029fc843bb1ff19d94e2807a02721

SHA1
9aff23952916c45d38c58096bcc467c9305b04be

SHA256
c10091919ec67375824d0c1919fe7846a0e83649ecdb99ba45a98fece65a148d

SHA512
60f3837ca5371ce3f190ab57ac5bd20411ca9aea77a317b4d4eb3de58abffc215da62ea3bb08b77ab3a1fb9d887ca681a129187b4e2c16d60601b032b384b873

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a3029fc843bb1ff19d94e2807a02721

SHA1
9aff23952916c45d38c58096bcc467c9305b04be

SHA256
c10091919ec67375824d0c1919fe7846a0e83649ecdb99ba45a98fece65a148d

SHA512
60f3837ca5371ce3f190ab57ac5bd20411ca9aea77a317b4d4eb3de58abffc215da62ea3bb08b77ab3a1fb9d887ca681a129187b4e2c16d60601b032b384b873

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a3029fc843bb1ff19d94e2807a02721

SHA1
9aff23952916c45d38c58096bcc467c9305b04be

SHA256
c10091919ec67375824d0c1919fe7846a0e83649ecdb99ba45a98fece65a148d

SHA512
60f3837ca5371ce3f190ab57ac5bd20411ca9aea77a317b4d4eb3de58abffc215da62ea3bb08b77ab3a1fb9d887ca681a129187b4e2c16d60601b032b384b873

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H5TQV05RDWWWS5AJ7SVW.temp

Filesize
7KB

MD5
3a3029fc843bb1ff19d94e2807a02721

SHA1
9aff23952916c45d38c58096bcc467c9305b04be

SHA256
c10091919ec67375824d0c1919fe7846a0e83649ecdb99ba45a98fece65a148d

SHA512
60f3837ca5371ce3f190ab57ac5bd20411ca9aea77a317b4d4eb3de58abffc215da62ea3bb08b77ab3a1fb9d887ca681a129187b4e2c16d60601b032b384b873

Download Submit
\ProgramData\Timeupper\HVPIO.exe

Filesize
487.4MB

MD5
ffec623a03cf94174a55dadb99c0a478

SHA1
d433467df21d4f4c9ffdba61cbe85ce5ee33b8f3

SHA256
2c6101bb7b7c8c152e57b1d6b65a79c878eab5389be821a04c3b77cf01971a82

SHA512
8a66b37545dd38daec189ae0535ab052834e420a76055bbc3d6d8ab44c22f0e27d46ab2a3701ebd34f9b5e0c2b8fe2693d87c063f11fbd7d3771ebdcaab7e798

Download Submit
memory/580-91-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/580-110-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/580-90-0x0000000000020000-0x00000000002D6000-memory.dmp

Filesize
2.7MB

Download
memory/620-70-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/620-71-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/620-67-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/620-74-0x000000000263B000-0x0000000002672000-memory.dmp

Filesize
220KB

Download
memory/680-97-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/680-98-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/680-105-0x000000000227B000-0x00000000022B2000-memory.dmp

Filesize
220KB

Download
memory/680-104-0x0000000002274000-0x0000000002277000-memory.dmp

Filesize
12KB

Download
memory/1520-66-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/1520-54-0x0000000000AF0000-0x0000000000DA6000-memory.dmp

Filesize
2.7MB

Download
memory/1520-75-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/1528-72-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1528-69-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1528-65-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1528-73-0x000000000294B000-0x0000000002982000-memory.dmp

Filesize
220KB

Download
memory/1528-68-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1864-109-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/1864-108-0x00000000026BB000-0x00000000026F2000-memory.dmp

Filesize
220KB

Download