1f44175232113cf3f570e863f8e9e0db15b1d30364498c93cdeccf0d768f3cfe

Analysis

max time kernel
12s
max time network
15s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memcheck.exe
Size

3.9MB
MD5

ea3726dec12657f20ad2c861464dd434
SHA1

36eb78d12e0c211ca72de08a2267a1a82e6a0dc5
SHA256

1f44175232113cf3f570e863f8e9e0db15b1d30364498c93cdeccf0d768f3cfe
SHA512

85399babecf1b3a96b2a500d19776547d43c282995d77dbf2c2586f6055da498667872fd1f5790c74b62a23e7efb56494f51d0990434ef75e64fe01f77230c19
SSDEEP

98304:wAsJ5SFdzBuyzlPQP2RUhfXzOP2sIR4Ajsg6WBj02N/GmmAVSMb:wAs/SZuyzUtfXKP2sMlvbb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2452	Memcheck.exe
2964	Memcheck.exe

Loads dropped DLL 4 IoCs

pid	Process
3020	Memcheck.exe
2452	Memcheck.exe
2964	Memcheck.exe
2964	Memcheck.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\syswow64\DEVOBJ.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\imm32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\ws2_32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\wininet.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\propsys.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\msvcrt.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\LPK.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\SETUPAPI.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\DUI70.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\ole32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\RPCRT4.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\psapi.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\NSI.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\iertutil.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\KERNELBASE.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\CRYPTBASE.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\DCIMAN32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\CLBCatQ.DLL	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\USER32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\SHLWAPI.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\oleaut32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\shell32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\CFGMGR32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\comdlg32.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	Memcheck.exe
File opened for modification	C:\Windows\syswow64\normaliz.DLL	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\DUser.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\GDI32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\ADVAPI32.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\DDRAW.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\dwmapi.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\MSCTF.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\kernel32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\SspiCli.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\imagehlp.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Memcheck.exe
File opened for modification	C:\Windows\syswow64\USP10.dll	Memcheck.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	Memcheck.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	Memcheck.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2964	Memcheck.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	Memcheck.exe
Token: SeTcbPrivilege	2964	Memcheck.exe
Token: SeTcbPrivilege	2964	Memcheck.exe
Token: SeLoadDriverPrivilege	2964	Memcheck.exe
Token: SeCreateGlobalPrivilege	2964	Memcheck.exe
Token: 33	2964	Memcheck.exe
Token: SeSecurityPrivilege	2964	Memcheck.exe
Token: SeTakeOwnershipPrivilege	2964	Memcheck.exe
Token: SeManageVolumePrivilege	2964	Memcheck.exe
Token: SeBackupPrivilege	2964	Memcheck.exe
Token: SeCreatePagefilePrivilege	2964	Memcheck.exe
Token: SeShutdownPrivilege	2964	Memcheck.exe
Token: SeRestorePrivilege	2964	Memcheck.exe
Token: 33	2964	Memcheck.exe
Token: SeIncBasePriorityPrivilege	2964	Memcheck.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	Memcheck.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2452	3020	Memcheck.exe	28
PID 3020 wrote to memory of 2452	3020	Memcheck.exe	28
PID 3020 wrote to memory of 2452	3020	Memcheck.exe	28
PID 3020 wrote to memory of 2452	3020	Memcheck.exe	28
PID 2452 wrote to memory of 2964	2452	Memcheck.exe	29
PID 2452 wrote to memory of 2964	2452	Memcheck.exe	29
PID 2452 wrote to memory of 2964	2452	Memcheck.exe	29
PID 2452 wrote to memory of 2964	2452	Memcheck.exe	29

C:\Users\Admin\AppData\Local\Temp\Memcheck.exe
"C:\Users\Admin\AppData\Local\Temp\Memcheck.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\Memcheck.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\Memcheck.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\Memcheck.exe
    C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\Memcheck.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\CET_Archive.dat

Filesize
3.7MB

MD5
fcfcc486e4c100f20d99df8f71f63d2e

SHA1
390702a8db8af3cc3a608747e28aeb350af50ad7

SHA256
e8608c6bd3e575965e1a4cceba36fc6be4e9be86d479fc8ce4aa2a3f97611acc

SHA512
090de36e6c28783bc58b89a671ecf78d63cb5c5918d30f81312270c5a1fc7977d23990319ca57b7a2bd57910dfac12783765388515aed0a7a9f205e5d0ee9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\Memcheck.exe

Filesize
193KB

MD5
6852660b8cbb67ee3f1e31bf2f1e0afd

SHA1
c1b790e062f3a13d3e2f90c58e92ded585abbe3b

SHA256
cd86234cf14dfc0e66ae9e575326fd0cf74723a5a60337f7079c0540b6da5c8b

SHA512
5722ebf6bef799721464094c6d6a81931bf8f78bdd1fbe12b153cf7b0e4e9e7307fa7a01e0cc16ce885c20c3a0a3cc95d6a7d86413f0c61cca3450fa565dd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
823B

MD5
0770967b7c5f87672aa6d81b0e18108d

SHA1
d0d391759180ca631ccbfdb029fe4e4466549a81

SHA256
01edf510a69848e82eb6ab0cb3488d81fc529cde186f7d928a1fb3c9a359fe0c

SHA512
2a2afe48dc47d65d125dedf6384d655731bfa857f70b88f07e8e4deda327362b6c9ae787986c89fe1756b92bdeee642475d74bc7c7bfe42d94215daac3424ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\Memcheck.exe

Filesize
7.6MB

MD5
6302f6714dc29921a6bf886fcd4d8a6c

SHA1
df012bad4ef9b4e2a2554891ced21632a699deb5

SHA256
cfd5367ffbf2211e819423ba186e5e35389eb84597bd610fba7653e19d945b13

SHA512
5247a4e7f5f04a83d0c3e36215feaec7b0db409503437b1daf069f2ba5d7cd04ca715fd0796fbbe3b52b4440f50a7f8e73ce6d8e1e812013cf293fa9b5bb3078

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\Memcheck.exe

Filesize
7.6MB

MD5
6302f6714dc29921a6bf886fcd4d8a6c

SHA1
df012bad4ef9b4e2a2554891ced21632a699deb5

SHA256
cfd5367ffbf2211e819423ba186e5e35389eb84597bd610fba7653e19d945b13

SHA512
5247a4e7f5f04a83d0c3e36215feaec7b0db409503437b1daf069f2ba5d7cd04ca715fd0796fbbe3b52b4440f50a7f8e73ce6d8e1e812013cf293fa9b5bb3078

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\defines.lua

Filesize
5KB

MD5
1dc41a0a351e745085fcc98a3933d91f

SHA1
bf1e7d333e6d7b3d4bfe5cdcada19af1931dbe15

SHA256
a2e02dd32f0245ff31190288b368b3efbbe7c48a95dd22c321231c2f46597d9b

SHA512
76f171411d028e72613859332f381f8f26e85d1844c143a8888e4937ca72d7b38ffe66ce617eee5e8155ba034dcc559a9417b5def056bb74227b9bae392d1440

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\lua53-32.dll

Filesize
491KB

MD5
c8f47a0e750e07d86a47b3296fb59a97

SHA1
1f894c9aa88dd2448e50ab5e7277cd4b4c629c6d

SHA256
dcfd91f21dee9e70179337a85d21b3ca925f1a6c21de9576aa5219732b7c7a86

SHA512
e154a097e8e174a47fea76c96d1c27d93cf9bfbdc47eeef56486cc3d2e661649a1d7da5cfe0ce220ea172f4646ab4eecbd2e1594011d0a8ca1eb416cd84b8b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\Memcheck.exe

Filesize
193KB

MD5
6852660b8cbb67ee3f1e31bf2f1e0afd

SHA1
c1b790e062f3a13d3e2f90c58e92ded585abbe3b

SHA256
cd86234cf14dfc0e66ae9e575326fd0cf74723a5a60337f7079c0540b6da5c8b

SHA512
5722ebf6bef799721464094c6d6a81931bf8f78bdd1fbe12b153cf7b0e4e9e7307fa7a01e0cc16ce885c20c3a0a3cc95d6a7d86413f0c61cca3450fa565dd6a8

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\Memcheck.exe

Filesize
7.6MB

MD5
6302f6714dc29921a6bf886fcd4d8a6c

SHA1
df012bad4ef9b4e2a2554891ced21632a699deb5

SHA256
cfd5367ffbf2211e819423ba186e5e35389eb84597bd610fba7653e19d945b13

SHA512
5247a4e7f5f04a83d0c3e36215feaec7b0db409503437b1daf069f2ba5d7cd04ca715fd0796fbbe3b52b4440f50a7f8e73ce6d8e1e812013cf293fa9b5bb3078

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\lua53-32.dll

Filesize
491KB

MD5
c8f47a0e750e07d86a47b3296fb59a97

SHA1
1f894c9aa88dd2448e50ab5e7277cd4b4c629c6d

SHA256
dcfd91f21dee9e70179337a85d21b3ca925f1a6c21de9576aa5219732b7c7a86

SHA512
e154a097e8e174a47fea76c96d1c27d93cf9bfbdc47eeef56486cc3d2e661649a1d7da5cfe0ce220ea172f4646ab4eecbd2e1594011d0a8ca1eb416cd84b8b2a

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET8095.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit