8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24fb841fd911564455e110be0.exe
Size

592KB
MD5

24fb841fd911564455e110be09838898
SHA1

26cd8755406627964ffcabc8a2addb8d1b8e2e48
SHA256

8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5
SHA512

40e5a47a69ff3c673dc702ea4fc1bc7f57c78631846f03e474920fe648d8f742419f4cb150d2036cdaa1a9ce8d0308be05d463a73fd1e39d8d7924e6015d7367
SSDEEP

12288:Ig7K2UlLr6wvetUDTIdz0Azy1M9o+71ipwf92umFzUkuI:lZUlL2wveWvUYwb9o+ZiptucUw

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2960	Key.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 1708	2960	Key.exe	35

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2672	powershell.exe
2960	Key.exe
2960	Key.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	24fb841fd911564455e110be0.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2960	Key.exe
Token: SeDebugPrivilege	1708	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2672	2204	taskeng.exe	31
PID 2204 wrote to memory of 2672	2204	taskeng.exe	31
PID 2204 wrote to memory of 2672	2204	taskeng.exe	31
PID 2348 wrote to memory of 2960	2348	taskeng.exe	34
PID 2348 wrote to memory of 2960	2348	taskeng.exe	34
PID 2348 wrote to memory of 2960	2348	taskeng.exe	34
PID 2348 wrote to memory of 2960	2348	taskeng.exe	34
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35
PID 2960 wrote to memory of 1708	2960	Key.exe	35

C:\Users\Admin\AppData\Local\Temp\24fb841fd911564455e110be0.exe
"C:\Users\Admin\AppData\Local\Temp\24fb841fd911564455e110be0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\taskeng.exe
taskeng.exe {4F8EE7B4-3A3C-4DB5-BACE-CFFDB321CFD0} S-1-5-21-1724861073-2584418204-2594431177-1000:RXPFQWTW\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Windows\system32\taskeng.exe
taskeng.exe {460D3C64-D1C0-4E74-A4E8-897D3EDD324C} S-1-5-21-1724861073-2584418204-2594431177-1000:RXPFQWTW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\XsdType\ccdhrter\Key.exe
  C:\Users\Admin\AppData\Local\XsdType\ccdhrter\Key.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
06074682e43d7a33355ebe98f9b71632

SHA1
7bcea809145e0204cbd46e5a7ee6b8dd9ed75597

SHA256
58c7839cc2241d26309a27b29a4c0d770344f97300ca4d5630047eb4af262b35

SHA512
8aeea8cf66eb44e2a23e79b7c4525a23d77e8215cbff43e2b929b1ec63fb5456fad4d6b3589784570e865089aeb2f5d0258b0fa07019c1a837e7a915ca8b348f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
577fda3fbec51f5a066e2a37c1baf0a9

SHA1
615f8dede24090d23e3f364fe43729032e88176a

SHA256
35f797b54307e0d95ce896ff2f178e36550fdda53309b02d93fdc14ea241a9c2

SHA512
67986aef98e06a5f63706181de560a3e2f1f055962a7882cc618d031be9df36c1ea89985a89cab54b20692f037e8f3016b7c7e584a6737f9d0000e9fcf24b47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C8D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51AF.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\XsdType\ccdhrter\Key.exe

Filesize
592KB

MD5
24fb841fd911564455e110be09838898

SHA1
26cd8755406627964ffcabc8a2addb8d1b8e2e48

SHA256
8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5

SHA512
40e5a47a69ff3c673dc702ea4fc1bc7f57c78631846f03e474920fe648d8f742419f4cb150d2036cdaa1a9ce8d0308be05d463a73fd1e39d8d7924e6015d7367

Download Submit
C:\Users\Admin\AppData\Local\XsdType\ccdhrter\Key.exe

Filesize
592KB

MD5
24fb841fd911564455e110be09838898

SHA1
26cd8755406627964ffcabc8a2addb8d1b8e2e48

SHA256
8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5

SHA512
40e5a47a69ff3c673dc702ea4fc1bc7f57c78631846f03e474920fe648d8f742419f4cb150d2036cdaa1a9ce8d0308be05d463a73fd1e39d8d7924e6015d7367

Download Submit
memory/1240-102-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-110-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-66-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-65-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1240-68-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-70-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-72-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-74-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-76-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-78-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-80-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-82-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-84-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-86-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-88-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-90-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-92-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-94-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-96-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-98-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-100-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-61-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-104-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-106-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-108-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-63-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-112-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-114-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-116-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-118-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-120-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-2215-0x0000000000D60000-0x0000000000DB6000-memory.dmp

Filesize
344KB

Download
memory/1240-2216-0x0000000000E10000-0x0000000000E5C000-memory.dmp

Filesize
304KB

Download
memory/1240-2217-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1240-2218-0x00000000046D0000-0x0000000004724000-memory.dmp

Filesize
336KB

Download
memory/1240-54-0x0000000000E80000-0x0000000000F1A000-memory.dmp

Filesize
616KB

Download
memory/1240-55-0x00000000045F0000-0x00000000046D6000-memory.dmp

Filesize
920KB

Download
memory/1240-56-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-57-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1240-59-0x00000000045F0000-0x00000000046D0000-memory.dmp

Filesize
896KB

Download
memory/1708-6561-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/1708-4406-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/1708-4401-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2672-2226-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/2672-2227-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/2672-2225-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/2672-2224-0x0000000019BF0000-0x0000000019ED2000-memory.dmp

Filesize
2.9MB

Download
memory/2672-2228-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/2672-2229-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/2960-2232-0x0000000000EA0000-0x0000000000F3A000-memory.dmp

Filesize
616KB

Download