599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc

Analysis

max time kernel
157s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe
Size

198KB
MD5

dd918283da4b7ea5f068afa446c8af78
SHA1

ff50572f35de3253edcede1535abb3f609e3aee2
SHA256

599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc
SHA512

13a70544b5bb282e382ecd1f31a1ca0c710805aa92447d2e75f56c862b8e897424a4ae3519ba42eafc1850718d6d346f5b8d8be7790894b56f7f545676ace7a7
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOu:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
240	scchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\scchost.exe	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe
File opened for modification	C:\Windows\Debug\scchost.exe	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	scchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	scchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3004	2244	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe	31
PID 2244 wrote to memory of 3004	2244	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe	31
PID 2244 wrote to memory of 3004	2244	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe	31
PID 2244 wrote to memory of 3004	2244	599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe	31

C:\Users\Admin\AppData\Local\Temp\599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe
"C:\Users\Admin\AppData\Local\Temp\599add1fb4e5c5bbc75ce45783ef1bdaeda7275f5527ee0ef22378d830d301fc.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\599ADD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

C:\Windows\Debug\scchost.exe
C:\Windows\Debug\scchost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\scchost.exe

Filesize
198KB

MD5
1cb728a96bc79431daee9fa9df188d2a

SHA1
45c2480368288ddc5f56076c0a08f02fb82f0a09

SHA256
11a8edfbb37d00c14d36ce74ca483cb0be0d549fe53a62e762f64deab34daebd

SHA512
beecdec45709fd220f96c620cf5da6cb95941ba25cffeacca339c5322450fa5bc98325fdd8555d529b6ece3a54f55191ef0ec55e7558ba60eb0a6110d15efa48

Download Submit
C:\Windows\debug\scchost.exe

Filesize
198KB

MD5
1cb728a96bc79431daee9fa9df188d2a

SHA1
45c2480368288ddc5f56076c0a08f02fb82f0a09

SHA256
11a8edfbb37d00c14d36ce74ca483cb0be0d549fe53a62e762f64deab34daebd

SHA512
beecdec45709fd220f96c620cf5da6cb95941ba25cffeacca339c5322450fa5bc98325fdd8555d529b6ece3a54f55191ef0ec55e7558ba60eb0a6110d15efa48

Download Submit