Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2023, 06:38
Behavioral task
behavioral1
Sample
936-506-0x0000000000400000-0x0000000000477000-memory.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
936-506-0x0000000000400000-0x0000000000477000-memory.exe
Resource
win10v2004-20230703-en
General
-
Target
936-506-0x0000000000400000-0x0000000000477000-memory.exe
-
Size
476KB
-
MD5
f4660cfd074a331031e9fb6718d733e3
-
SHA1
fdb9971f56a36e1945eb1df7cf76646347673568
-
SHA256
856ef00b309506f974d75cd7a1354d2009e36c75fd30264c3507ba805ec7b173
-
SHA512
0de8ac466fdeb1ceb6598bd0bd9dda9187538418595243e91d4726d0567dec35f665b6e04592cf853d979a41558a99cb3a0c0cc5968159ee9ceba1bd7eb8651c
-
SSDEEP
12288:o4wcFv6y7kax04kbW/lE+mYBEXqUvAq521OjYKkJj6GmZU:ic5hkipmYBEXV4QYb6nZ
Malware Config
Signatures
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{35687760-C69C-459A-8C73-4D86BF2B0A3E}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3616 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 484 936-506-0x0000000000400000-0x0000000000477000-memory.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"C:\Users\Admin\AppData\Local\Temp\936-506-0x0000000000400000-0x0000000000477000-memory.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:3508
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5c01eaa0bdcd7c30a42bbb35a9acbf574
SHA10aee3e1b873e41d040f1991819d0027b6cc68f54
SHA25632297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5a37a38eddf59c6ce17db1cb073b5293f
SHA186c8d5ec01ab3eeba6dfd7fa020e22cfe114e5ba
SHA2563390dc23230ff084077a447cb524827ee053e485ba35f5db470cecbf62e0f7df
SHA512c8afda83a48f21cf8ed249da4dad4365db6cf246afa80eec79ce0418289204cc9f768bbd734a1e2ac69003b412f633094bea2f268dbf4467c2af2c301440a816
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD59b6102abd8c38f791f0517bad60306eb
SHA1dd3a5d06dc30f343b8da39e754cc9fc1235f5ec6
SHA256a99b3b7bde22c685295a450d8cc3b4f5f6a767af2f93c9782f9b4b9f9af29316
SHA51218dce146d7e2a36bbbb2a6fc4c5ffb3e645ceeb2f4e58734e1b680c4f89a41b3203845e36f4da03d5112063b523be59ee98213b390f329165dd477aebdeed051
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD577426eebc0801c4e5ba8051f23fd497f
SHA1c6097919a73afa4f2cd46d9fca1a5bb806315c9d
SHA2563c73b74f0e73bcd5777186eaa9bb1b5f081f3d849202d5603fe398053f348fcc
SHA5120ea92e2cc42c458265a7e94468eb5b6cd13f2f7d98ca69a0bbabd5c817ba604a4a4fbf11e61ec27a394f9a4fc08d0dcf2c21cf236797f60c7acb834f2852c283
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD56e95823fdf5aa50e1e65b23f74a3bbed
SHA1f100fbc86c1cff86ac3283edf127e2b1f03f3920
SHA256ad34a1a08bc40a234728fef3b2e113a9f101e96f03f0b94934d5d4f511bb1172
SHA512afac560f387dd9dfb8a220f8b2038f1fab2bb75453fd63cb901b6bb7c91ddaa02655c92bff7bdaa43090e6eb3d44a38dc77e1339f9dfe752f2813d5c1cf08a20
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5f6a70cebf35fca256c80056c3b766c86
SHA143848e03e1b70efd07cb574c8bed3d453021e6c4
SHA25684487dc415fbe3a5bfd7cbda31091c6358eef3ff24f401a2ca7083c5ffd55c7d
SHA512ec2432afc4cc445b2a86deb8b835c844adb950b85a30511150c30fde34e2ba393fe44c2fee2e7bb7fc37f733cbea10a52c12cbe341d1589a023bb50de414d7b3
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD55c76878e092092d12763e75c7794a795
SHA180a6d01b96ecf6cf54b631df986c9824d42ce891
SHA2569d07631f9cd34b1f41c12c27e0c67415e3447dc0dd266616280f2a272e140206
SHA512218f7404f3980bc03aa1ae791b686fcb088f9f061665046bd07d2dc111977b4902a8e25e4c9cacad0f93a93606c032b728e3262613a727313f1e58cf1388cd67
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5363d36de5e210cba712906de9a45f1bd
SHA194ad919309090a6108256f8b67af9d7f80e87f32
SHA2565313f503a3f15ae393d57ee3b4d29cd642009afe9eb16f16e79982c86c5d9697
SHA512c1f4b9695cf76fdb07eebd54c58046f2221f50f416917934b3c24efd56328defaf549ee77671310604d0a83a0303e2fecd5b9b1f592d8a6c0ab4b25ea15bea6c
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD54fe3a64fdd3f2c670031284b56cc14be
SHA1eeb30e34c3ba51eb5a41677a61e1cf82eb79fbc4
SHA2565a02a3009b0b60327fd7494a37326ee894c0d31a3274041967232a4536ac2989
SHA51281f032d81109b80f90664ca43b988c40d99bedf2856e54d4615043b025c24acb9d133e45399bed4c45ebfd720294c0f5eb64fb7c57c5cbae4fb5a5062b015377
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD5df872d21b1c76b7c19f34e7284d67cd4
SHA1954b373eaaa851b384536d49ab714766855d07c8
SHA256d20b91a4e62dedb37f55b7a1a31e5e54dc2a3baec0668194861dcc129bc8768a
SHA5128f979c2383dc120d5c0e20842dd037fcb5ca5fea806ed682a30e70cbb42ca0613d34f5ef2d4bccef593215c384145e32be3e87466db75a5924a5807e645cbc57
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD536269a8e7b9e17f6c9dd15b5974a4e23
SHA108c1eacc4454ab456816eb1fd86bd8bd9c4ca8a1
SHA25694dc365928ff90b1d4156ffd6c3b1f1acbff425cab077e9d0a3904a7a225d732
SHA512f8b975e92d18e6316362fc5d69057c8b32eb148922f207e31d11cf9023b5aa8e5de8d14e98c740cc64a293164a333828ef1ab962c47153181c587b304b712a5a