fb5e26fb2c6209e4ec7ff82659fbdb03e68fe1adf088166cea4dc479af5ba151

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-07-2023 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

561KB
MD5

651230dae2c0dc316d24bcf5d999c001
SHA1

7e76383fa315e43e54e1f25ae4d72d550e208127
SHA256

fb5e26fb2c6209e4ec7ff82659fbdb03e68fe1adf088166cea4dc479af5ba151
SHA512

02c1f4bff17d72fccf04e3f21be9a5a387d43715780b985922032f3a656cc5ff233d40be9ff39449604cf47e41d33e273a4bd21b3042e1513b971339d1c11a62
SSDEEP

12288:41CCeUe/mB0Km1Tqy/y7R2upCFmg58ROh9YG2m7PHY:47eHmB0Km1Jy7RF8yRS9z2g/Y

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2888	1688	tmp.exe	49

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	2888	WerFault.exe	49

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe
1688	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2960	1688	tmp.exe	28
PID 1688 wrote to memory of 2960	1688	tmp.exe	28
PID 1688 wrote to memory of 2960	1688	tmp.exe	28
PID 1688 wrote to memory of 2964	1688	tmp.exe	29
PID 1688 wrote to memory of 2964	1688	tmp.exe	29
PID 1688 wrote to memory of 2964	1688	tmp.exe	29
PID 1688 wrote to memory of 2964	1688	tmp.exe	29
PID 1688 wrote to memory of 2924	1688	tmp.exe	30
PID 1688 wrote to memory of 2924	1688	tmp.exe	30
PID 1688 wrote to memory of 2924	1688	tmp.exe	30
PID 1688 wrote to memory of 2876	1688	tmp.exe	31
PID 1688 wrote to memory of 2876	1688	tmp.exe	31
PID 1688 wrote to memory of 2876	1688	tmp.exe	31
PID 1688 wrote to memory of 3004	1688	tmp.exe	32
PID 1688 wrote to memory of 3004	1688	tmp.exe	32
PID 1688 wrote to memory of 3004	1688	tmp.exe	32
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 1300	1688	tmp.exe	33
PID 1688 wrote to memory of 2996	1688	tmp.exe	34
PID 1688 wrote to memory of 2996	1688	tmp.exe	34
PID 1688 wrote to memory of 2996	1688	tmp.exe	34
PID 1688 wrote to memory of 2968	1688	tmp.exe	35
PID 1688 wrote to memory of 2968	1688	tmp.exe	35
PID 1688 wrote to memory of 2968	1688	tmp.exe	35
PID 1688 wrote to memory of 2972	1688	tmp.exe	36
PID 1688 wrote to memory of 2972	1688	tmp.exe	36
PID 1688 wrote to memory of 2972	1688	tmp.exe	36
PID 1688 wrote to memory of 2724	1688	tmp.exe	37
PID 1688 wrote to memory of 2724	1688	tmp.exe	37
PID 1688 wrote to memory of 2724	1688	tmp.exe	37
PID 1688 wrote to memory of 2676	1688	tmp.exe	38
PID 1688 wrote to memory of 2676	1688	tmp.exe	38
PID 1688 wrote to memory of 2676	1688	tmp.exe	38
PID 1688 wrote to memory of 2304	1688	tmp.exe	39
PID 1688 wrote to memory of 2304	1688	tmp.exe	39
PID 1688 wrote to memory of 2304	1688	tmp.exe	39
PID 1688 wrote to memory of 2880	1688	tmp.exe	40
PID 1688 wrote to memory of 2880	1688	tmp.exe	40
PID 1688 wrote to memory of 2880	1688	tmp.exe	40
PID 1688 wrote to memory of 3008	1688	tmp.exe	41
PID 1688 wrote to memory of 3008	1688	tmp.exe	41
PID 1688 wrote to memory of 3008	1688	tmp.exe	41
PID 1688 wrote to memory of 2752	1688	tmp.exe	42
PID 1688 wrote to memory of 2752	1688	tmp.exe	42
PID 1688 wrote to memory of 2752	1688	tmp.exe	42
PID 1688 wrote to memory of 2284	1688	tmp.exe	43
PID 1688 wrote to memory of 2284	1688	tmp.exe	43
PID 1688 wrote to memory of 2284	1688	tmp.exe	43
PID 1688 wrote to memory of 2952	1688	tmp.exe	44
PID 1688 wrote to memory of 2952	1688	tmp.exe	44
PID 1688 wrote to memory of 2952	1688	tmp.exe	44
PID 1688 wrote to memory of 2952	1688	tmp.exe	44
PID 1688 wrote to memory of 2532	1688	tmp.exe	45
PID 1688 wrote to memory of 2532	1688	tmp.exe	45
PID 1688 wrote to memory of 2532	1688	tmp.exe	45
PID 1688 wrote to memory of 2856	1688	tmp.exe	46
PID 1688 wrote to memory of 2856	1688	tmp.exe	46
PID 1688 wrote to memory of 2856	1688	tmp.exe	46
PID 1688 wrote to memory of 1708	1688	tmp.exe	47

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 168
    3⤵
    - Program crash
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-54-0x0000000000A70000-0x0000000000B00000-memory.dmp

Filesize
576KB

Download
memory/1688-55-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-56-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1688-57-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1688-58-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/1688-59-0x000000001A5B0000-0x000000001A638000-memory.dmp

Filesize
544KB

Download
memory/1688-62-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-63-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2888-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-61-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download