e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
Size

1.4MB
MD5

eea7e8980770d81f890b8ac30d8338e2
SHA1

b40f87e8ccaba6b644d33049da0bee0a2f71ca07
SHA256

e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11
SHA512

84187a6be84a70e906e16e0c7dbf3093fd84dd329ef882739ddc3fe87097cff0979c586c06465dc6230c9cc972db1809701b55e6403b6fd76bdb578ed4c0b304
SSDEEP

24576:0krwzop11YC7uvYWTsP1kpVRH/8zenc5qxC0CN0AXlaGXivjc4fIPAxvOJ64kfmH:bruo2C7uwWTsP1kpVRf8zenC+gdXOVxI

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Sqv186.sys	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\5WleBX\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\Sqv186.sys"	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
2772	e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe

C:\Users\Admin\AppData\Local\Temp\e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe
"C:\Users\Admin\AppData\Local\Temp\e2535ab2633c64df4a060630285d3e4838f3d6ae0014c85a8656a79cd8c5cb11.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-54-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2772-55-0x0000000075F20000-0x0000000075F67000-memory.dmp

Filesize
284KB

Download
memory/2772-865-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-870-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-868-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-866-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-872-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-876-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-874-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-880-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-882-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-878-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-886-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-884-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-888-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-890-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-894-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-892-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-900-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-898-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-896-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-904-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-902-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-908-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-906-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-914-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-912-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-910-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-918-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-916-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-920-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-924-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-922-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-926-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-2601-0x0000000002000000-0x0000000002100000-memory.dmp

Filesize
1024KB

Download
memory/2772-2602-0x0000000002180000-0x0000000002301000-memory.dmp

Filesize
1.5MB

Download
memory/2772-4398-0x0000000002000000-0x0000000002100000-memory.dmp

Filesize
1024KB

Download
memory/2772-8742-0x0000000002430000-0x0000000002541000-memory.dmp

Filesize
1.1MB

Download
memory/2772-8749-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2772-8751-0x0000000002550000-0x0000000002651000-memory.dmp

Filesize
1.0MB

Download
memory/2772-8759-0x0000000002310000-0x00000000023B1000-memory.dmp

Filesize
644KB

Download
memory/2772-8761-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2772-8765-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download