Analysis
-
max time kernel
149s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30/06/2023, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
zxcvb.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
zxcvb.exe
Resource
win10v2004-20230621-en
General
-
Target
zxcvb.exe
-
Size
2.0MB
-
MD5
69773ff9cddbe895d0c1a7c381e15d81
-
SHA1
15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631
-
SHA256
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
-
SHA512
550f9e02a7f1a1dc3734ba0d86940c2b298cee5890801aeba4f738bb306cdc717a6ecad34e2ebd2c3ac1b0151f2acae7131388f999a30ab9b914c3707a35544e
-
SSDEEP
49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2000 BLIrlccnw.exe 1672 BLIrlccnw.exe 1692 BLIrlccnw.exe 1264 BLIrlccnw.exe 2000 CanReuseTransform.exe 1548 CanReuseTransform.exe -
Loads dropped DLL 4 IoCs
pid Process 1668 zxcvb.exe 2000 BLIrlccnw.exe 2000 BLIrlccnw.exe 2000 BLIrlccnw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2000 set thread context of 1264 2000 BLIrlccnw.exe 40 PID 2000 set thread context of 1548 2000 CanReuseTransform.exe 48 PID 1548 set thread context of 1988 1548 CanReuseTransform.exe 49 PID 1988 set thread context of 1744 1988 MSBuild.exe 50 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 1668 zxcvb.exe 2000 BLIrlccnw.exe 2000 BLIrlccnw.exe 1988 powershell.exe 1548 CanReuseTransform.exe 1548 CanReuseTransform.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1668 zxcvb.exe Token: SeDebugPrivilege 2000 BLIrlccnw.exe Token: SeDebugPrivilege 1264 BLIrlccnw.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2000 CanReuseTransform.exe Token: SeDebugPrivilege 1548 CanReuseTransform.exe Token: SeDebugPrivilege 1988 MSBuild.exe Token: SeDebugPrivilege 1744 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2000 1668 zxcvb.exe 27 PID 1668 wrote to memory of 2000 1668 zxcvb.exe 27 PID 1668 wrote to memory of 2000 1668 zxcvb.exe 27 PID 1668 wrote to memory of 2000 1668 zxcvb.exe 27 PID 1668 wrote to memory of 840 1668 zxcvb.exe 28 PID 1668 wrote to memory of 840 1668 zxcvb.exe 28 PID 1668 wrote to memory of 840 1668 zxcvb.exe 28 PID 1668 wrote to memory of 840 1668 zxcvb.exe 28 PID 1668 wrote to memory of 1980 1668 zxcvb.exe 29 PID 1668 wrote to memory of 1980 1668 zxcvb.exe 29 PID 1668 wrote to memory of 1980 1668 zxcvb.exe 29 PID 1668 wrote to memory of 1980 1668 zxcvb.exe 29 PID 1668 wrote to memory of 112 1668 zxcvb.exe 30 PID 1668 wrote to memory of 112 1668 zxcvb.exe 30 PID 1668 wrote to memory of 112 1668 zxcvb.exe 30 PID 1668 wrote to memory of 112 1668 zxcvb.exe 30 PID 1668 wrote to memory of 1532 1668 zxcvb.exe 37 PID 1668 wrote to memory of 1532 1668 zxcvb.exe 37 PID 1668 wrote to memory of 1532 1668 zxcvb.exe 37 PID 1668 wrote to memory of 1532 1668 zxcvb.exe 37 PID 1668 wrote to memory of 1544 1668 zxcvb.exe 36 PID 1668 wrote to memory of 1544 1668 zxcvb.exe 36 PID 1668 wrote to memory of 1544 1668 zxcvb.exe 36 PID 1668 wrote to memory of 1544 1668 zxcvb.exe 36 PID 1668 wrote to memory of 836 1668 zxcvb.exe 35 PID 1668 wrote to memory of 836 1668 zxcvb.exe 35 PID 1668 wrote to memory of 836 1668 zxcvb.exe 35 PID 1668 wrote to memory of 836 1668 zxcvb.exe 35 PID 1668 wrote to memory of 1540 1668 zxcvb.exe 34 PID 1668 wrote to memory of 1540 1668 zxcvb.exe 34 PID 1668 wrote to memory of 1540 1668 zxcvb.exe 34 PID 1668 wrote to memory of 1540 1668 zxcvb.exe 34 PID 1668 wrote to memory of 916 1668 zxcvb.exe 33 PID 1668 wrote to memory of 916 1668 zxcvb.exe 33 PID 1668 wrote to memory of 916 1668 zxcvb.exe 33 PID 1668 wrote to memory of 916 1668 zxcvb.exe 33 PID 1668 wrote to memory of 1552 1668 zxcvb.exe 32 PID 1668 wrote to memory of 1552 1668 zxcvb.exe 32 PID 1668 wrote to memory of 1552 1668 zxcvb.exe 32 PID 1668 wrote to memory of 1552 1668 zxcvb.exe 32 PID 1668 wrote to memory of 564 1668 zxcvb.exe 31 PID 1668 wrote to memory of 564 1668 zxcvb.exe 31 PID 1668 wrote to memory of 564 1668 zxcvb.exe 31 PID 1668 wrote to memory of 564 1668 zxcvb.exe 31 PID 2000 wrote to memory of 1672 2000 BLIrlccnw.exe 38 PID 2000 wrote to memory of 1672 2000 BLIrlccnw.exe 38 PID 2000 wrote to memory of 1672 2000 BLIrlccnw.exe 38 PID 2000 wrote to memory of 1672 2000 BLIrlccnw.exe 38 PID 2000 wrote to memory of 1692 2000 BLIrlccnw.exe 39 PID 2000 wrote to memory of 1692 2000 BLIrlccnw.exe 39 PID 2000 wrote to memory of 1692 2000 BLIrlccnw.exe 39 PID 2000 wrote to memory of 1692 2000 BLIrlccnw.exe 39 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 2000 wrote to memory of 1264 2000 BLIrlccnw.exe 40 PID 240 wrote to memory of 1988 240 taskeng.exe 44 PID 240 wrote to memory of 1988 240 taskeng.exe 44 PID 240 wrote to memory of 1988 240 taskeng.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exeC:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe3⤵
- Executes dropped EXE
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exeC:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe3⤵
- Executes dropped EXE
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exeC:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:112
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:916
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\zxcvb.exeC:\Users\Admin\AppData\Local\Temp\zxcvb.exe2⤵PID:1532
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AE878AD3-3EAA-459F-895B-2BE58E5EBB4D} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C7793013-48AD-4E24-9C83-C9304AF67865} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]1⤵PID:808
-
C:\Users\Admin\AppData\Local\EventProvider\anpil\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\anpil\CanReuseTransform.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Users\Admin\AppData\Local\EventProvider\anpil\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\anpil\CanReuseTransform.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c