Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 04:30
Static task
static1
Behavioral task
behavioral1
Sample
0e88d215c560501b6a4ba041c0d54635.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0e88d215c560501b6a4ba041c0d54635.exe
Resource
win10v2004-20231222-en
General
-
Target
0e88d215c560501b6a4ba041c0d54635.exe
-
Size
118KB
-
MD5
0e88d215c560501b6a4ba041c0d54635
-
SHA1
95a45dd007e93df49fbb91222476160f526ee12a
-
SHA256
5b1a748fd59c47f872ed89cf33d3c55b61939d1686396458b5cec7a97351255f
-
SHA512
c12471436dd95c894eaf26ce2a943929376c6a5e4ecc75016d3b029bfbc519aec1d1ccf545a205d9a0ea445fa6ccff3ad0b7f0508da557efa182cde6a8d811ea
-
SSDEEP
3072:7ni7SKGEBa+LTcXuDENCtpFqYaG9w0Hi:Li71GhacXuDyCXFqTG90
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2596 taskhostt.exe 2628 wmpnetvk.exe 2600 lsass.exe 1728 lsass.exe -
Loads dropped DLL 6 IoCs
pid Process 2132 0e88d215c560501b6a4ba041c0d54635.exe 2596 taskhostt.exe 2596 taskhostt.exe 2804 0e88d215c560501b6a4ba041c0d54635.exe 2804 0e88d215c560501b6a4ba041c0d54635.exe 2600 lsass.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lsass.exe" 0e88d215c560501b6a4ba041c0d54635.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lsass.exe" 0e88d215c560501b6a4ba041c0d54635.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\taskhostt.exe" taskhostt.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2132 set thread context of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2600 set thread context of 1728 2600 lsass.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2132 0e88d215c560501b6a4ba041c0d54635.exe 2596 taskhostt.exe 2596 taskhostt.exe 2628 wmpnetvk.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2132 0e88d215c560501b6a4ba041c0d54635.exe 2600 lsass.exe 2596 taskhostt.exe 2596 taskhostt.exe 2628 wmpnetvk.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2132 0e88d215c560501b6a4ba041c0d54635.exe 2596 taskhostt.exe 2596 taskhostt.exe 2600 lsass.exe 2596 taskhostt.exe 2628 wmpnetvk.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2132 0e88d215c560501b6a4ba041c0d54635.exe 2596 taskhostt.exe 2596 taskhostt.exe 2600 lsass.exe 2596 taskhostt.exe 2628 wmpnetvk.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2132 0e88d215c560501b6a4ba041c0d54635.exe 2596 taskhostt.exe 2600 lsass.exe 2596 taskhostt.exe 2596 taskhostt.exe 2628 wmpnetvk.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe 2132 0e88d215c560501b6a4ba041c0d54635.exe 2596 taskhostt.exe 2596 taskhostt.exe 2600 lsass.exe 2596 taskhostt.exe 2628 wmpnetvk.exe 2596 taskhostt.exe 2596 taskhostt.exe 2596 taskhostt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2132 0e88d215c560501b6a4ba041c0d54635.exe Token: SeDebugPrivilege 2596 taskhostt.exe Token: SeDebugPrivilege 2628 wmpnetvk.exe Token: SeDebugPrivilege 2600 lsass.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2404 2132 0e88d215c560501b6a4ba041c0d54635.exe 28 PID 2132 wrote to memory of 2404 2132 0e88d215c560501b6a4ba041c0d54635.exe 28 PID 2132 wrote to memory of 2404 2132 0e88d215c560501b6a4ba041c0d54635.exe 28 PID 2132 wrote to memory of 2404 2132 0e88d215c560501b6a4ba041c0d54635.exe 28 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2804 2132 0e88d215c560501b6a4ba041c0d54635.exe 30 PID 2132 wrote to memory of 2596 2132 0e88d215c560501b6a4ba041c0d54635.exe 31 PID 2132 wrote to memory of 2596 2132 0e88d215c560501b6a4ba041c0d54635.exe 31 PID 2132 wrote to memory of 2596 2132 0e88d215c560501b6a4ba041c0d54635.exe 31 PID 2132 wrote to memory of 2596 2132 0e88d215c560501b6a4ba041c0d54635.exe 31 PID 2596 wrote to memory of 2628 2596 taskhostt.exe 32 PID 2596 wrote to memory of 2628 2596 taskhostt.exe 32 PID 2596 wrote to memory of 2628 2596 taskhostt.exe 32 PID 2596 wrote to memory of 2628 2596 taskhostt.exe 32 PID 2628 wrote to memory of 2700 2628 wmpnetvk.exe 33 PID 2628 wrote to memory of 2700 2628 wmpnetvk.exe 33 PID 2628 wrote to memory of 2700 2628 wmpnetvk.exe 33 PID 2628 wrote to memory of 2700 2628 wmpnetvk.exe 33 PID 2804 wrote to memory of 2600 2804 0e88d215c560501b6a4ba041c0d54635.exe 35 PID 2804 wrote to memory of 2600 2804 0e88d215c560501b6a4ba041c0d54635.exe 35 PID 2804 wrote to memory of 2600 2804 0e88d215c560501b6a4ba041c0d54635.exe 35 PID 2804 wrote to memory of 2600 2804 0e88d215c560501b6a4ba041c0d54635.exe 35 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34 PID 2600 wrote to memory of 1728 2600 lsass.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe"C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe0e88d215c560501b6a4ba041c0d54635.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exewmpnetvk.exe4⤵PID:2700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\lsass.exelsass.exe1⤵
- Executes dropped EXE
PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD50e88d215c560501b6a4ba041c0d54635
SHA195a45dd007e93df49fbb91222476160f526ee12a
SHA2565b1a748fd59c47f872ed89cf33d3c55b61939d1686396458b5cec7a97351255f
SHA512c12471436dd95c894eaf26ce2a943929376c6a5e4ecc75016d3b029bfbc519aec1d1ccf545a205d9a0ea445fa6ccff3ad0b7f0508da557efa182cde6a8d811ea
-
Filesize
9KB
MD5bebc70fd32454c81af2d47e74ec29cc9
SHA16b039556ac4841c5ce3650016bd7a1adb94df2ee
SHA256bb891551f5fb9e76ca1034f7b03f8f4ee2e45ac0583eefd7b9e5b4e3c2fb48db
SHA5127ca06e907aa64bc672334b54259cd13c85a0cde6263bc445b3a9c7d668ddd8d02ed881c799b140b99456b3be38618064bb33474934c7445b1564294014bf5813