df2604898f1cf4e99ef89473d177bc42464a6196fadfb94a3d173dc0006580e0

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2023, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FitsPO.exe
Size

940KB
MD5

8c88b77fa4686a526236337b2555d3a0
SHA1

f9f7c665a7a7d1a80198f3abd76c7dcfcd4e6eea
SHA256

df2604898f1cf4e99ef89473d177bc42464a6196fadfb94a3d173dc0006580e0
SHA512

a8553c04c643560868d7ddcf95ce02f0557e5c6e70e73779b9dc140faa7b3e61d0f60c127303c4416abafbf0b9071bce79ef393b147f23c2ef2c4b67770786bf
SSDEEP

12288:TT5L89fGQTMWdVNLBrhEP58IBeetWMkgHpFXPZe7zx652CN/puQi/c4Ag2vw6VsW:TTOeQTMWd5rhUP/i/c4AHvwTI7aUES

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{76246548-D999-495C-B56C-40334240EA7C}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2088	216	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4568	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FitsPO.exe
"C:\Users\Admin\AppData\Local\Temp\FitsPO.exe"
1⤵
PID:216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1352
  2⤵
  - Program crash
  PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 216 -ip 216
1⤵
PID:4060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4680

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuAE70.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
14769ca7aac32fb3478201d4acb8d795

SHA1
d7ea53e1a91447073e0c3c634b09a1ec9f04eec9

SHA256
2fe36b11b9c5d37dfecbbd880b9081f84089c4343c193ca1389d94dab7c21e30

SHA512
1e0b36ebd2afa6a363d12c0756d392a3e6a2d9d9a465d0718f92089490501dd02e9586db5e1f1ee48083fb0a7a37ca8b6fd59f4ee7f33ea22843440253dd83b2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
5cbd46dfb628d1cbc58988634e586e07

SHA1
2a8da4d277feacc86b180b49cd9a9c6901918a4b

SHA256
b2c3752f8157fe6a7d3efe4eea88fcf1455cf1e941969d541031ee195ba5b06a

SHA512
c45ee7ed3f2b98850dd602ddda8682248178369a0ccdd482e275c8114e3af22efe36b3a1c3e7ed479e7e567be418ed4b745bde749f029ebb5293c97a2b685f80

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
572171fbdd1388b050a14096ecf60e56

SHA1
19ace41f46ba06d0a2c4852f1f91523bb09a07f5

SHA256
a03b173ba472a31c1c378a925f0df56fdae9e2ca77ce52b6aa6a0e2c0fb712be

SHA512
e62b2e8d5a0e6f4162db196800deb437576a5a424354faef6b51afbf02eeb97a0a7e9d0bdcb659bb3da190487f742996a8a7a0f8df4de05fcfbbf6c5844ae9cb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
1e113e960d463f5e655b5dd362ce6f3d

SHA1
bccaca5089883db555a791e3a15e223f9a72fe86

SHA256
63899a2092cc630d8f3a56ca301aea3ecd8c5a632538d5def52e85ca1a8b4316

SHA512
d27bf9d44cff3609f7b1acb5c711e05a87300e6c8f4c7e6ee72789868fdf1ee6361accb85982b04b53889fdc5d838798aed9d0aaf3fd038e3fd6499001397392

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a16cbe74b972385bd920171284f97548

SHA1
9a3491a2dfb8482381d37bd3d301165888b7bfb4

SHA256
800869d9ac8ad30d1a98fba46d756abbcb9fc1437ccfc0ac96636b7449237b39

SHA512
e0da687746d1b03706d22064e8744ec0f127ef83eaea801c23b6f07394b516f3cad52df2700dd15211e988a915fc47858a39c1c8d97717596cfbe272fcfaf5f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
dce681a379b27ed2f6bbcfd0dc870700

SHA1
e5921403fd803ef89965986075917011bb4c7d22

SHA256
76d8d990e734523b040fe5ada707c9452e2d21fee5bfb6d0e7adaefbaf1b2a00

SHA512
6c036b5fd9fd933b96785d62d921868ef8cdc988a9f8cffc2ceadb0653faf8f1acc29b550e86cf7bdc1ef791c741aef71bc5968afee614a8dc7ecfbb87f880b8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
1f86242d6f086a2af0cc429848165b0a

SHA1
6c15abc7cd6d7f9c4bbb3c6aa534bcf6c7cbf269

SHA256
ae7c85ed27f593ff6f6752480ab777a28810dad52a0a660569acc4774aee7565

SHA512
0c6c1145f70abf11573d7c3f76d677c0595c1ee3ff8cffb1045bd8450f4dd4df067d3fb90855afff2d1fcfb39ea922ad7204e079b00094905a85fd28a6ddf6a6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
68562a1c320578a2bb524c01a2273af0

SHA1
23d433c04fcac43c9e9cc6cb927bab22b91510c3

SHA256
f7d214774df9fdaf627501ac12ae4d38fdd379ed950ec6f4167c72b80f469309

SHA512
f9b9c06de5aaf7284af0173027e98cf6ec25e653755d8bd68cff55b73b40f84abe1be6b0ffb10ae526ed33cc7216e6e57f4b3b6760b1651bcc9e931fe9b0807e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f35f02d8cc04807129502b72364a564a

SHA1
e00bf39ca4c20fdf590fab6b3cf59191f9eb69af

SHA256
0783357a0fec1d1e6b0b30383d58d73e0aa1e47c15021a08a2f2da935598f075

SHA512
6067e050a56d4e46c57373a74f1fe06312bea270596c2ea90317eba0c0bd9d23836bbcae8b253aaa3590fcea3b975f94c95ba1f15bb503ad69de585070a00951

Download Submit
memory/216-139-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/216-136-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/216-141-0x0000000004FE0000-0x0000000004FFE000-memory.dmp

Filesize
120KB

Download
memory/216-140-0x0000000004E20000-0x0000000004E76000-memory.dmp

Filesize
344KB

Download
memory/216-133-0x0000000000030000-0x0000000000122000-memory.dmp

Filesize
968KB

Download
memory/216-138-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/216-137-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/216-143-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/216-134-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/216-135-0x0000000004B60000-0x0000000004BFC000-memory.dmp

Filesize
624KB

Download
memory/4568-493-0x0000029551930000-0x0000029551931000-memory.dmp

Filesize
4KB

Download
memory/4568-495-0x0000029551960000-0x0000029551961000-memory.dmp

Filesize
4KB

Download
memory/4568-496-0x0000029551960000-0x0000029551961000-memory.dmp

Filesize
4KB

Download
memory/4568-497-0x0000029551A70000-0x0000029551A71000-memory.dmp

Filesize
4KB

Download
memory/4568-477-0x0000029549640000-0x0000029549650000-memory.dmp

Filesize
64KB

Download
memory/4568-458-0x0000029549540000-0x0000029549550000-memory.dmp

Filesize
64KB

Download