7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
Size

1.1MB
MD5

83526b0d300cb89d2d360985ead401ce
SHA1

3ef6466432694c2640644c98cf502baa74a5c13d
SHA256

7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa
SHA512

3dfffdb8fd47f4eed11a94ed8ba0eb28e78ca1434868f875e99e7f611ca58ce17c5b26ac04e8e355e8ee4abe0bdf78a8c0c5d800b1597b12a4ea292c6b64a7d2
SSDEEP

24576:L4HpElfT5YFrWzNBQNNERlCqWx6fmnO/rHsnI:L4JElfTuF4iNERlCL6+yMI

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2468 created 1220	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	11
PID 2468 created 1220	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	11
PID 2468 created 1220	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	11
PID 2468 created 1220	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	11
PID 2468 created 1220	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	11

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2732	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2944	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	28
PID 2468 wrote to memory of 2944	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	28
PID 2468 wrote to memory of 2944	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	28
PID 2944 wrote to memory of 2844	2944	cmd.exe	30
PID 2944 wrote to memory of 2844	2944	cmd.exe	30
PID 2944 wrote to memory of 2844	2944	cmd.exe	30
PID 2944 wrote to memory of 2924	2944	cmd.exe	31
PID 2944 wrote to memory of 2924	2944	cmd.exe	31
PID 2944 wrote to memory of 2924	2944	cmd.exe	31
PID 2924 wrote to memory of 2308	2924	cmd.exe	32
PID 2924 wrote to memory of 2308	2924	cmd.exe	32
PID 2924 wrote to memory of 2308	2924	cmd.exe	32
PID 2944 wrote to memory of 2832	2944	cmd.exe	33
PID 2944 wrote to memory of 2832	2944	cmd.exe	33
PID 2944 wrote to memory of 2832	2944	cmd.exe	33
PID 2944 wrote to memory of 2712	2944	cmd.exe	34
PID 2944 wrote to memory of 2712	2944	cmd.exe	34
PID 2944 wrote to memory of 2712	2944	cmd.exe	34
PID 2944 wrote to memory of 2552	2944	cmd.exe	35
PID 2944 wrote to memory of 2552	2944	cmd.exe	35
PID 2944 wrote to memory of 2552	2944	cmd.exe	35
PID 2944 wrote to memory of 2996	2944	cmd.exe	36
PID 2944 wrote to memory of 2996	2944	cmd.exe	36
PID 2944 wrote to memory of 2996	2944	cmd.exe	36
PID 2944 wrote to memory of 2860	2944	cmd.exe	37
PID 2944 wrote to memory of 2860	2944	cmd.exe	37
PID 2944 wrote to memory of 2860	2944	cmd.exe	37
PID 2944 wrote to memory of 2296	2944	cmd.exe	38
PID 2944 wrote to memory of 2296	2944	cmd.exe	38
PID 2944 wrote to memory of 2296	2944	cmd.exe	38
PID 2944 wrote to memory of 2732	2944	cmd.exe	39
PID 2944 wrote to memory of 2732	2944	cmd.exe	39
PID 2944 wrote to memory of 2732	2944	cmd.exe	39
PID 2944 wrote to memory of 2872	2944	cmd.exe	40
PID 2944 wrote to memory of 2872	2944	cmd.exe	40
PID 2944 wrote to memory of 2872	2944	cmd.exe	40
PID 2944 wrote to memory of 2836	2944	cmd.exe	41
PID 2944 wrote to memory of 2836	2944	cmd.exe	41
PID 2944 wrote to memory of 2836	2944	cmd.exe	41
PID 2944 wrote to memory of 1140	2944	cmd.exe	42
PID 2944 wrote to memory of 1140	2944	cmd.exe	42
PID 2944 wrote to memory of 1140	2944	cmd.exe	42
PID 2944 wrote to memory of 2812	2944	cmd.exe	43
PID 2944 wrote to memory of 2812	2944	cmd.exe	43
PID 2944 wrote to memory of 2812	2944	cmd.exe	43
PID 2944 wrote to memory of 2720	2944	cmd.exe	44
PID 2944 wrote to memory of 2720	2944	cmd.exe	44
PID 2944 wrote to memory of 2720	2944	cmd.exe	44
PID 2944 wrote to memory of 2756	2944	cmd.exe	45
PID 2944 wrote to memory of 2756	2944	cmd.exe	45
PID 2944 wrote to memory of 2756	2944	cmd.exe	45
PID 2468 wrote to memory of 2780	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	46
PID 2468 wrote to memory of 2780	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	46
PID 2468 wrote to memory of 2780	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	46
PID 2468 wrote to memory of 1348	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	47
PID 2468 wrote to memory of 1348	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	47
PID 2468 wrote to memory of 1348	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	47
PID 2468 wrote to memory of 1872	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	48
PID 2468 wrote to memory of 1872	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	48
PID 2468 wrote to memory of 1872	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	48
PID 2468 wrote to memory of 2508	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	49
PID 2468 wrote to memory of 2508	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	49
PID 2468 wrote to memory of 2508	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	49
PID 2468 wrote to memory of 2516	2468	7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\System32\reg.exe
      reg query HKU\S-1-5-19
      4⤵
      PID:2844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:2308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:2832
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:2712
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2552
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:2996
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
      4⤵
      PID:2296
  - - C:\Windows\System32\sc.exe
      sc query osppsvc
      4⤵
      Launches sc.exe
      PID:2732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\channels
      4⤵
      PID:2872
  - - C:\Windows\System32\mode.com
      mode con cols=80 lines=32
      4⤵
      PID:2836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
      4⤵
      PID:1140
  - - C:\Windows\System32\findstr.exe
      findstr /a:07 /f:`.txt "."
      4⤵
      PID:2812
  - - C:\Windows\System32\findstr.exe
      findstr /a:1F /f:`.txt "."
      4⤵
      PID:2720
  - - C:\Windows\System32\choice.exe
      choice /c 1234567890ERSX /n /m "> Choose a menu option, or press 0 to Exit: "
      4⤵
      PID:2756
- C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
  2⤵
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
  2⤵
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
  2⤵
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
  2⤵
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd

Filesize
294KB

MD5
d3c01098dd10c824352f0bf8d3ae4f0c

SHA1
dc2035e2ef729018dd80b3f12035e1453b26a466

SHA256
e4834aaf04092bbd62048c9182a9d92fd527f900c72666d1e9f2dabbc6dddd03

SHA512
c04ae07e87a9e692feda7346adf8be0786dfa118befbe356b38744a73d436897dc16d323c226d01a67f145f0485d41f6132ca32ba3165b7930689abfadff8303

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd

Filesize
294KB

MD5
d3c01098dd10c824352f0bf8d3ae4f0c

SHA1
dc2035e2ef729018dd80b3f12035e1453b26a466

SHA256
e4834aaf04092bbd62048c9182a9d92fd527f900c72666d1e9f2dabbc6dddd03

SHA512
c04ae07e87a9e692feda7346adf8be0786dfa118befbe356b38744a73d436897dc16d323c226d01a67f145f0485d41f6132ca32ba3165b7930689abfadff8303

Download Submit
C:\Windows\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\`.txt

Filesize
35B

MD5
ffe40be0916c7302ae237feebe53cf4b

SHA1
59f9f73c5f1cf616c159bd13d9245794b2edcecd

SHA256
6ef78a8ef8e0752565dcc75e10db254a573a51eaa183f0bff99494e62f0b57c6

SHA512
8068814f7cf1b06bc2428409402aae8fa885705eebc5cf96415e77d50003c13665ef75fc818d992fa994034f9507c3f9cbc1345a6150fa4e9077bd16b8d88ada

Download Submit
C:\Windows\Temp\`.txt

Filesize
20B

MD5
b2e5b29ecc16ade3184ed0b5321166c9

SHA1
6cdff60bb711d7edb0583d5d2f0656c6e1a1aee2

SHA256
79af99b57c308bf4d412f6d95f6e5ee488f1f56f7643461cafa168a0bca50b4d

SHA512
d98540f803974426e82222d9aca3632060af3daa45d43c60ac66ee16b01f6af28db93b323ade968094e4ebe068639e8fd178fd34903937b2569aaa229767bd03

Download Submit
memory/2468-15-0x000000001A8F0000-0x000000001A950000-memory.dmp

Filesize
384KB

Download
memory/2468-6-0x000000001A7D0000-0x000000001A87C000-memory.dmp

Filesize
688KB

Download
memory/2468-5-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/2468-0-0x000000013F090000-0x000000013F1BC000-memory.dmp

Filesize
1.2MB

Download
memory/2468-17-0x00000000023A0000-0x00000000023A6000-memory.dmp

Filesize
24KB

Download
memory/2468-4-0x000000001C6E0000-0x000000001C7F6000-memory.dmp

Filesize
1.1MB

Download
memory/2468-18-0x000000001A950000-0x000000001AA82000-memory.dmp

Filesize
1.2MB

Download
memory/2468-19-0x00000000023B0000-0x00000000023B6000-memory.dmp

Filesize
24KB

Download
memory/2468-3-0x000000001B830000-0x000000001B8B0000-memory.dmp

Filesize
512KB

Download
memory/2468-2-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2468-1-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-26-0x000000001AA80000-0x000000001AAB6000-memory.dmp

Filesize
216KB

Download
memory/2468-27-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download