10cff7f6b89a464cb556818e96c4290d0be051cac8389ae7a00997deee7268e7

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_NA_25791e26ac31c1exeexe_JC.exe
Size

5.8MB
MD5

25791e26ac31c11e6dfc0b57d34b7e2c
SHA1

ead6e42ab4a0580f523c24884c66bd0e5774609d
SHA256

10cff7f6b89a464cb556818e96c4290d0be051cac8389ae7a00997deee7268e7
SHA512

4554169d7b4bb6738bd826e47b8e80c3564587c69ee0d9d12763bf3ba9ad0f5d5ed22c9296ad6688886d065dee97799d8095c2dfe9a8fe1fb02c1a95de83871d
SSDEEP

98304:Qd6RAG3iQ8op+ezwWwNIyTQbMGLd51YkPu4cJMGBj4DhDZANxBYtsz:dHL8opj2TMM0LNPy8DpZ+C2z

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4312	svchost.exe
444	svchost.exe
2384	ADAU.USRJ
3876	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\svchost.exe\""	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.bat	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3764	2384	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	ADAU.USRJ
2384	ADAU.USRJ

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	444	svchost.exe
Token: SeIncBasePriorityPrivilege	444	svchost.exe
Token: SeIncBasePriorityPrivilege	444	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1216	NA_NA_25791e26ac31c1exeexe_JC.exe
1216	NA_NA_25791e26ac31c1exeexe_JC.exe
2384	ADAU.USRJ
2384	ADAU.USRJ

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4312	1216	NA_NA_25791e26ac31c1exeexe_JC.exe	86
PID 1216 wrote to memory of 4312	1216	NA_NA_25791e26ac31c1exeexe_JC.exe	86
PID 1216 wrote to memory of 4312	1216	NA_NA_25791e26ac31c1exeexe_JC.exe	86
PID 4312 wrote to memory of 444	4312	svchost.exe	87
PID 4312 wrote to memory of 444	4312	svchost.exe	87
PID 4312 wrote to memory of 444	4312	svchost.exe	87
PID 4312 wrote to memory of 4944	4312	svchost.exe	88
PID 4312 wrote to memory of 4944	4312	svchost.exe	88
PID 4312 wrote to memory of 4944	4312	svchost.exe	88
PID 1216 wrote to memory of 2384	1216	NA_NA_25791e26ac31c1exeexe_JC.exe	89
PID 1216 wrote to memory of 2384	1216	NA_NA_25791e26ac31c1exeexe_JC.exe	89
PID 1216 wrote to memory of 2384	1216	NA_NA_25791e26ac31c1exeexe_JC.exe	89
PID 2384 wrote to memory of 3876	2384	ADAU.USRJ	92
PID 2384 wrote to memory of 3876	2384	ADAU.USRJ	92
PID 2384 wrote to memory of 3876	2384	ADAU.USRJ	92

C:\Users\Admin\AppData\Local\Temp\NA_NA_25791e26ac31c1exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_25791e26ac31c1exeexe_JC.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\svchost.exe
  /svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.bat""
    3⤵
    PID:4944
- C:\Users\Admin\AppData\Local\Temp\ADAU.USRJ
  "C:\Users\Admin\AppData\Local\Temp\ADAU.USRJ"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\svchost.exe
    /svchost.exe
    3⤵
    - Executes dropped EXE
    PID:3876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 692
    3⤵
    - Program crash
    PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.bat

Filesize
78B

MD5
79d1f3542288968cdf3a15829cd3ec0d

SHA1
8b2685cd5ad3ba347a8aa02f3ec318d1a3aab1ae

SHA256
23b0df4ea63b05aa6196636b42451b5d80605ad1a7cf0b439fe072281218afe6

SHA512
eec253600b5365cfee5889bfc9eefd33103e0be95757e6fdb333a674c332a978cd79c06437cdc418c7df4c2f72ce917e08fe2a536989c3e50cb0f62a79d464bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADAU.USRJ

Filesize
5.8MB

MD5
72e991def74df14f86a0070c6c94e092

SHA1
8b2f7f8e62220e07b8b6a5ad2ea259c7a6be3e0a

SHA256
c1f4e663845dc7433fa62351da112a3b61bdaaa4dfbbe1278cd163fb729f3aa7

SHA512
147ca4f7259957f95868b453e72f231195789d68859fde912878c0bebb11f7910acd3332b08bbc93c090b9b9b50f7ed4dabfe72e6c6944488e26a9eba8ffdd59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADAU.USRJ

Filesize
5.8MB

MD5
72e991def74df14f86a0070c6c94e092

SHA1
8b2f7f8e62220e07b8b6a5ad2ea259c7a6be3e0a

SHA256
c1f4e663845dc7433fa62351da112a3b61bdaaa4dfbbe1278cd163fb729f3aa7

SHA512
147ca4f7259957f95868b453e72f231195789d68859fde912878c0bebb11f7910acd3332b08bbc93c090b9b9b50f7ed4dabfe72e6c6944488e26a9eba8ffdd59

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
memory/444-155-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/444-144-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/444-156-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/444-162-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/444-168-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3876-153-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4312-147-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4312-138-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download