983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26

Analysis

max time kernel
127s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/AggregatorHost.exe
Size

353KB
MD5

0e76274b5ea373ca9744d3070b981eae
SHA1

6e306a9a65f286418bd69905963acd5d70b68e94
SHA256

032ec772a00bc1de43fed9d289c38853c56a1ea8dfd2a037b8c482e92a5cb14b
SHA512

fafbbf3c1f66bd9dc62ed24dbcbf139000a98baaa0cef56fbcad4346cf5859e236c6fb6968f433772daa92dce7d9d3e41c1b3167a00b4652ec57e6e95c2e7739
SSDEEP

6144:hM7Mhq/8SBfUnY8sX6D1Ja+9K7O8NvQm8VmbsgxgsO21y6qciya4hrNyT6uf:hsSJyO8e7CPxghvZU1hrq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AggregatorHost.exe

pid process

880 AggregatorHost.exe
Loads dropped DLL 2 IoCs

Processes:

AggregatorHost.exe

pid process

2732 AggregatorHost.exe
2732 AggregatorHost.exe

pid	process
880	AggregatorHost.exe

pid	process
2732	AggregatorHost.exe
2732	AggregatorHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AggregatorHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Public\\Documents\\AggregatorHost.exe"	AggregatorHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AggregatorHost.exe

pid process

880 AggregatorHost.exe

pid	process
880	AggregatorHost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

AggregatorHost.exe

description	pid	process	target process
PID 2732 wrote to memory of 880	2732	AggregatorHost.exe	AggregatorHost.exe
PID 2732 wrote to memory of 880	2732	AggregatorHost.exe	AggregatorHost.exe
PID 2732 wrote to memory of 880	2732	AggregatorHost.exe	AggregatorHost.exe

C:\Users\Admin\AppData\Local\Temp\1\AggregatorHost.exe
"C:\Users\Admin\AppData\Local\Temp\1\AggregatorHost.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Public\Documents\AggregatorHost.exe
"C:\Users\Public\Documents\AggregatorHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Public\Documents\AggregatorHost.exe
Filesize
353KB

MD5
0e76274b5ea373ca9744d3070b981eae

SHA1
6e306a9a65f286418bd69905963acd5d70b68e94

SHA256
032ec772a00bc1de43fed9d289c38853c56a1ea8dfd2a037b8c482e92a5cb14b

SHA512
fafbbf3c1f66bd9dc62ed24dbcbf139000a98baaa0cef56fbcad4346cf5859e236c6fb6968f433772daa92dce7d9d3e41c1b3167a00b4652ec57e6e95c2e7739

Download Submit
memory/880-10-0x0000000001E90000-0x0000000002290000-memory.dmp

Filesize
4.0MB

Download
memory/880-9-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/880-16-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/880-17-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/880-19-0x0000000001E90000-0x0000000002290000-memory.dmp

Filesize
4.0MB

Download