883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/09/2023, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
Size

1.7MB
MD5

e8eb1ec9deb48f871d5f0041f5376efd
SHA1

f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531
SHA256

883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90
SHA512

6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d
SSDEEP

24576:HcCAjahFqYIiOtKRoXCkX4rj69El3s1sJ:jAjgFiqvrWTs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	dwm.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\NlsData0416\csrss.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\mfcm100\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\fdSSDP\6cb0b6c459d5d3455a3da700e713f2e2529862ff	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\Wldap32\csrss.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\cfgmgr32\taskhost.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\cfgmgr32\b75386f1303e64d8139363b71e44ac16341adf4e	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\mssrch\69ddcba757bf72f7d36c464c71f42baab150b2b9	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\NlsData0416\886983d96e3d3e31032c679b2d4ea91b6c05afef	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\mfcm100\services.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\fdSSDP\dwm.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\Wldap32\886983d96e3d3e31032c679b2d4ea91b6c05afef	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\mssrch\smss.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\it-IT\smss.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Program Files\DVD Maker\it-IT\69ddcba757bf72f7d36c464c71f42baab150b2b9	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\smss.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File opened for modification	C:\Windows\Globalization\smss.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\Globalization\69ddcba757bf72f7d36c464c71f42baab150b2b9	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2608	schtasks.exe
2832	schtasks.exe
1080	schtasks.exe
2524	schtasks.exe
1908	schtasks.exe
2884	schtasks.exe
2628	schtasks.exe
2448	schtasks.exe
2192	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
2952	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
Token: SeDebugPrivilege	2952	dwm.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2884	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	29
PID 2788 wrote to memory of 2884	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	29
PID 2788 wrote to memory of 2884	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	29
PID 2788 wrote to memory of 2608	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	31
PID 2788 wrote to memory of 2608	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	31
PID 2788 wrote to memory of 2608	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	31
PID 2788 wrote to memory of 2832	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	33
PID 2788 wrote to memory of 2832	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	33
PID 2788 wrote to memory of 2832	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	33
PID 2788 wrote to memory of 2628	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	35
PID 2788 wrote to memory of 2628	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	35
PID 2788 wrote to memory of 2628	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	35
PID 2788 wrote to memory of 1080	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	37
PID 2788 wrote to memory of 1080	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	37
PID 2788 wrote to memory of 1080	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	37
PID 2788 wrote to memory of 2524	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	39
PID 2788 wrote to memory of 2524	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	39
PID 2788 wrote to memory of 2524	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	39
PID 2788 wrote to memory of 2448	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	41
PID 2788 wrote to memory of 2448	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	41
PID 2788 wrote to memory of 2448	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	41
PID 2788 wrote to memory of 2192	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	43
PID 2788 wrote to memory of 2192	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	43
PID 2788 wrote to memory of 2192	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	43
PID 2788 wrote to memory of 1908	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	45
PID 2788 wrote to memory of 1908	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	45
PID 2788 wrote to memory of 1908	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	45
PID 2788 wrote to memory of 2780	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	47
PID 2788 wrote to memory of 2780	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	47
PID 2788 wrote to memory of 2780	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	47
PID 2788 wrote to memory of 2952	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	49
PID 2788 wrote to memory of 2952	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	49
PID 2788 wrote to memory of 2952	2788	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
"C:\Users\Admin\AppData\Local\Temp\883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2884
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0416\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2608
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\mfcm100\services.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2832
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90" /sc ONLOGON /tr "'C:\Users\Default\Downloads\883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2628
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\smss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1080
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\fdSSDP\dwm.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2524
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2448
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\Wldap32\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2192
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\cfgmgr32\taskhost.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1908
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\mssrch\smss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2780
- C:\Windows\System32\fdSSDP\dwm.exe
  "C:\Windows\System32\fdSSDP\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\it-IT\smss.exe

Filesize
1.7MB

MD5
e8eb1ec9deb48f871d5f0041f5376efd

SHA1
f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531

SHA256
883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

SHA512
6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d

Download Submit
C:\Windows\System32\fdSSDP\dwm.exe

Filesize
1.7MB

MD5
e8eb1ec9deb48f871d5f0041f5376efd

SHA1
f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531

SHA256
883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

SHA512
6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d

Download Submit
C:\Windows\System32\fdSSDP\dwm.exe

Filesize
1.7MB

MD5
e8eb1ec9deb48f871d5f0041f5376efd

SHA1
f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531

SHA256
883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

SHA512
6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d

Download Submit
memory/2788-0-0x0000000000050000-0x00000000001FA000-memory.dmp

Filesize
1.7MB

Download
memory/2788-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-2-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2788-3-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/2788-31-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-28-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-29-0x0000000000990000-0x0000000000B3A000-memory.dmp

Filesize
1.7MB

Download
memory/2952-30-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2952-32-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download