b2587af66ae9a2cc8daa61c4b752571509730679f8cd853344c6977dd63afaa0

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06-08-2023 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

666KB
MD5

4abf4307d3c34c700ba5f3bfcc9d8fbe
SHA1

215cc86274dff3bf3da6dd1f6392cb42bb527c09
SHA256

b2587af66ae9a2cc8daa61c4b752571509730679f8cd853344c6977dd63afaa0
SHA512

5236ae0ed091dc5538d2fffa70a6d639c429cc13a39fde4a1ac12764859d6e4693821949d8b68636dc47f960a675760db30c1b4678b2274adb42a4c92002c381
SSDEEP

12288:ygNz7hDhASCIORFW1Z1iVSpB3wv0/JNjk085BEylkKMx2LlpuqjePXpW6Wr:yg5tDhASC7Wlpuv03j38LESkKMxHqjeP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	PublicKey.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	taskeng.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 2900	2112	PublicKey.exe	36

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2140	powershell.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe
2900	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	tmp.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2112	PublicKey.exe
Token: SeDebugPrivilege	2900	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2140	2212	taskeng.exe	32
PID 2212 wrote to memory of 2140	2212	taskeng.exe	32
PID 2212 wrote to memory of 2140	2212	taskeng.exe	32
PID 2028 wrote to memory of 2112	2028	taskeng.exe	35
PID 2028 wrote to memory of 2112	2028	taskeng.exe	35
PID 2028 wrote to memory of 2112	2028	taskeng.exe	35
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36
PID 2112 wrote to memory of 2900	2112	PublicKey.exe	36

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {94B15466-667B-420B-8A9E-62159E5B329C} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140

C:\Windows\system32\taskeng.exe
taskeng.exe {AF93C4A0-7207-4FE6-B7FC-92D9F469328C} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\Parameters\PublicKey.exe
  C:\Users\Admin\AppData\Roaming\Parameters\PublicKey.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
066e5635bcfff46cb050ba2b07c42059

SHA1
ae25fadba3adf30af31e7ac66f2832b1a98825e4

SHA256
f846cad76d05952587fb72c25897274365017894384646a5c41201dcac0171c6

SHA512
05911ace18e11e7e718a9203bcf75510d66e5466f76c0c266c284382aa1c9e884a8a05598182796b3c57ef0fd282b8f2ee70ef787bb6b9c750e11096ac3a99b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC39F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC5D4.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Parameters\PublicKey.exe

Filesize
666KB

MD5
4abf4307d3c34c700ba5f3bfcc9d8fbe

SHA1
215cc86274dff3bf3da6dd1f6392cb42bb527c09

SHA256
b2587af66ae9a2cc8daa61c4b752571509730679f8cd853344c6977dd63afaa0

SHA512
5236ae0ed091dc5538d2fffa70a6d639c429cc13a39fde4a1ac12764859d6e4693821949d8b68636dc47f960a675760db30c1b4678b2274adb42a4c92002c381

Download Submit
C:\Users\Admin\AppData\Roaming\Parameters\PublicKey.exe

Filesize
666KB

MD5
4abf4307d3c34c700ba5f3bfcc9d8fbe

SHA1
215cc86274dff3bf3da6dd1f6392cb42bb527c09

SHA256
b2587af66ae9a2cc8daa61c4b752571509730679f8cd853344c6977dd63afaa0

SHA512
5236ae0ed091dc5538d2fffa70a6d639c429cc13a39fde4a1ac12764859d6e4693821949d8b68636dc47f960a675760db30c1b4678b2274adb42a4c92002c381

Download Submit
\Users\Admin\AppData\Roaming\Parameters\PublicKey.exe

Filesize
666KB

MD5
4abf4307d3c34c700ba5f3bfcc9d8fbe

SHA1
215cc86274dff3bf3da6dd1f6392cb42bb527c09

SHA256
b2587af66ae9a2cc8daa61c4b752571509730679f8cd853344c6977dd63afaa0

SHA512
5236ae0ed091dc5538d2fffa70a6d639c429cc13a39fde4a1ac12764859d6e4693821949d8b68636dc47f960a675760db30c1b4678b2274adb42a4c92002c381

Download Submit
memory/2112-3010-0x000000013FB30000-0x000000013FBDA000-memory.dmp

Filesize
680KB

Download
memory/2112-5953-0x000007FEF4820000-0x000007FEF520C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-4551-0x000007FEF4820000-0x000007FEF520C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-3011-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/2112-4604-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/2112-3009-0x000007FEF4820000-0x000007FEF520C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-5942-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/2112-5949-0x00000000006E0000-0x0000000000760000-memory.dmp

Filesize
512KB

Download
memory/2140-2997-0x0000000019F60000-0x000000001A242000-memory.dmp

Filesize
2.9MB

Download
memory/2140-3004-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-3003-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/2140-3002-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/2140-3001-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-3000-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/2140-2999-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/2140-2998-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-87-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-81-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-97-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-99-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-101-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-103-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-105-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-107-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-109-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-111-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-113-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-115-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-117-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-119-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-121-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-925-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-983-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/2652-2988-0x0000000002120000-0x0000000002176000-memory.dmp

Filesize
344KB

Download
memory/2652-2989-0x0000000002340000-0x000000000238C000-memory.dmp

Filesize
304KB

Download
memory/2652-2990-0x0000000002390000-0x00000000023E4000-memory.dmp

Filesize
336KB

Download
memory/2652-2992-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-93-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-91-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-89-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-54-0x000000013F1C0000-0x000000013F26A000-memory.dmp

Filesize
680KB

Download
memory/2652-85-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-83-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-95-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-79-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-77-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-75-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-73-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-71-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-69-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-67-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-65-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-63-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-61-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-59-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-55-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-58-0x000000001B8E0000-0x000000001B9ED000-memory.dmp

Filesize
1.1MB

Download
memory/2652-56-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/2652-57-0x000000001B8E0000-0x000000001B9F2000-memory.dmp

Filesize
1.1MB

Download
memory/2900-7311-0x000007FEF4820000-0x000007FEF520C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-7606-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-8886-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-8887-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-8888-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-6009-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-5962-0x000007FEF4820000-0x000007FEF520C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-5952-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2900-8950-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-8951-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2900-8952-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download