7280cbe62785d90db57507a739c40e8c59338cfacc41f0fd9ab59a22c3626e2a

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1917d4b438b83b90085be71176355765.exe
Size

181KB
MD5

1917d4b438b83b90085be71176355765
SHA1

e2d842d4473619c9c24d6c24fce77e7dd23c29ef
SHA256

7280cbe62785d90db57507a739c40e8c59338cfacc41f0fd9ab59a22c3626e2a
SHA512

84ce63dc9e58ae67dab5559826347f9ea17b54919374e8346274f6e2f3d4be536fba0764b2beb6186a26bc66e60a4e5a72fab83f06e99c1f7bf10e676c152e11
SSDEEP

3072:mWH1EZmxBXgcqJSpIpOleHFPG1vYhmul6I2IZLMVpZXqBdJPYSwTrvv:/1WmkHT5kvYh3AIZLz3pYSivv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2100	mssrs32.exe
3064	mssrs32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\mssrs32 = "C:\\Windows\\mssrs32.exe"	mssrs32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 2100 set thread context of 3064	2100	mssrs32.exe	29

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kmssx32.dll	1917d4b438b83b90085be71176355765.exe
File opened for modification	C:\Windows\mssrs32.exe	1917d4b438b83b90085be71176355765.exe
File opened for modification	C:\Windows\KBBA35E28089.log	1917d4b438b83b90085be71176355765.exe
File opened for modification	C:\Windows\kmsjsx32.sys	mssrs32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	mssrs32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	mssrs32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3024	1917d4b438b83b90085be71176355765.exe
2852	1917d4b438b83b90085be71176355765.exe
2852	1917d4b438b83b90085be71176355765.exe
2100	mssrs32.exe
3064	mssrs32.exe
3064	mssrs32.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 3024 wrote to memory of 2852	3024	1917d4b438b83b90085be71176355765.exe	28
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2852 wrote to memory of 2100	2852	1917d4b438b83b90085be71176355765.exe	30
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29
PID 2100 wrote to memory of 3064	2100	mssrs32.exe	29

C:\Users\Admin\AppData\Local\Temp\1917d4b438b83b90085be71176355765.exe
"C:\Users\Admin\AppData\Local\Temp\1917d4b438b83b90085be71176355765.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\1917d4b438b83b90085be71176355765.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\mssrs32.exe
    C:\Windows\mssrs32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2100

C:\Windows\mssrs32.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\kmssx32.dll

Filesize
1KB

MD5
8dade0e367df6d87592768481b83d64c

SHA1
48f652e0d8fceefde40ab897f90533e1e2f393ba

SHA256
bcfd6821bc370c0636fbac7a5365334ee64b91929ab72d2964fa9b827f99aebe

SHA512
335bb7fd92b543b3e1e358b8a9bbafa3a665d0450c510561a318ccebeec8de31aac0919405244e09937e4505eee0a98d4a841ba4d83b5f88b9bfec8931ccdd9c

Download Submit
C:\Windows\mssrs32.exe

Filesize
92KB

MD5
9949e68eefb6b051dc64ab7b4086c9a1

SHA1
61a558b551b853c50f837cdad22aa3bc75eb67c8

SHA256
771b908a185149029e47543d9291d8c6040bae0a4fc89ea6280572360e9231b7

SHA512
6106ee238b11b591ce99dcf9a42fdb9edcd6213c475c6b8cc4ed6fed91ee2050c2ec9c37f18fa9ed8b5db0570f4ca4fea793e10f892fed63ce1b7e6fb37bc27a

Download Submit
C:\Windows\mssrs32.exe

Filesize
181KB

MD5
1917d4b438b83b90085be71176355765

SHA1
e2d842d4473619c9c24d6c24fce77e7dd23c29ef

SHA256
7280cbe62785d90db57507a739c40e8c59338cfacc41f0fd9ab59a22c3626e2a

SHA512
84ce63dc9e58ae67dab5559826347f9ea17b54919374e8346274f6e2f3d4be536fba0764b2beb6186a26bc66e60a4e5a72fab83f06e99c1f7bf10e676c152e11

Download Submit
memory/2852-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2852-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2852-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2852-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2852-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2852-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2852-39-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3064-45-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads