Overview

overview

10

Static

static

3

7bc862a96e...aa.exe

windows7-x64

10

7bc862a96e...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2023 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe

  • Size

    1.1MB

  • MD5

    83526b0d300cb89d2d360985ead401ce

  • SHA1

    3ef6466432694c2640644c98cf502baa74a5c13d

  • SHA256

    7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa

  • SHA512

    3dfffdb8fd47f4eed11a94ed8ba0eb28e78ca1434868f875e99e7f611ca58ce17c5b26ac04e8e355e8ee4abe0bdf78a8c0c5d800b1597b12a4ea292c6b64a7d2

  • SSDEEP

    24576:L4HpElfT5YFrWzNBQNNERlCqWx6fmnO/rHsnI:L4JElfTuF4iNERlCL6+yMI

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:684
      • C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
        "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\System32\reg.exe
            reg query HKU\S-1-5-19
            4⤵
              PID:1116
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3912
              • C:\Windows\System32\reg.exe
                reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
                5⤵
                  PID:2916
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ver
                4⤵
                  PID:1036
                • C:\Windows\System32\reg.exe
                  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
                  4⤵
                    PID:3944
                  • C:\Windows\System32\find.exe
                    find /i "0x0"
                    4⤵
                      PID:1416
                    • C:\Windows\System32\reg.exe
                      reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
                      4⤵
                        PID:4688
                      • C:\Windows\System32\find.exe
                        find /i "0x0"
                        4⤵
                          PID:3348
                        • C:\Windows\System32\reg.exe
                          reg query "HKCU\Console" /v ForceV2
                          4⤵
                            PID:2768
                          • C:\Windows\System32\find.exe
                            find /i "0x0"
                            4⤵
                              PID:232
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
                              4⤵
                                PID:4960
                              • C:\Windows\System32\sc.exe
                                sc query osppsvc
                                4⤵
                                • Launches sc.exe
                                PID:1308
                              • C:\Windows\System32\reg.exe
                                reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
                                4⤵
                                  PID:3692
                                • C:\Windows\System32\mode.com
                                  mode con cols=80 lines=32
                                  4⤵
                                    PID:5032
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"
                                    4⤵
                                      PID:4908
                                    • C:\Windows\System32\choice.exe
                                      choice /c 1234567890ERSX /n /m "> Choose a menu option, or press 0 to Exit: "
                                      4⤵
                                        PID:2016
                                  • C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
                                    2⤵
                                      PID:352
                                    • C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
                                      2⤵
                                        PID:60
                                      • C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7bc862a96e1fce50cfdc6d6697c64759ac655ec2e325eec45cc85ff977c78eaa.exe"
                                        2⤵
                                          PID:1852

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd
                                        Filesize

                                        294KB

                                        MD5

                                        d3c01098dd10c824352f0bf8d3ae4f0c

                                        SHA1

                                        dc2035e2ef729018dd80b3f12035e1453b26a466

                                        SHA256

                                        e4834aaf04092bbd62048c9182a9d92fd527f900c72666d1e9f2dabbc6dddd03

                                        SHA512

                                        c04ae07e87a9e692feda7346adf8be0786dfa118befbe356b38744a73d436897dc16d323c226d01a67f145f0485d41f6132ca32ba3165b7930689abfadff8303

                                        Download Submit

                                      • memory/1852-7-0x0000000000400000-0x0000000000452000-memory.dmp

                                        Filesize

                                        328KB

                                        Download

                                      • memory/1852-9-0x0000000000400000-0x0000000000452000-memory.dmp

                                        Filesize

                                        328KB

                                        Download

                                      • memory/1852-10-0x0000000000400000-0x0000000000452000-memory.dmp

                                        Filesize

                                        328KB

                                        Download

                                      • memory/1852-13-0x0000000000360000-0x0000000000360000-memory.dmp

                                        Download

                                      • memory/3904-0-0x0000000000D90000-0x0000000000EBC000-memory.dmp

                                        Filesize

                                        1.2MB

                                        Download

                                      • memory/3904-1-0x00007FFB6FE20000-0x00007FFB708E1000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/3904-2-0x00000000039E0000-0x00000000039F0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3904-12-0x00007FFB6FE20000-0x00007FFB708E1000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download