7e1b1a98535b39e1caa98fdd37f3467c2b583a0b0fbdd847695f6c3facfe2f76

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19ae613b9e3d64d94ebf414265390ca6.exe
Size

26KB
MD5

19ae613b9e3d64d94ebf414265390ca6
SHA1

0a150b8c32217232c860d1b464cca4f1f70d7053
SHA256

7e1b1a98535b39e1caa98fdd37f3467c2b583a0b0fbdd847695f6c3facfe2f76
SHA512

dc18c690603451601dfbc5862805ad802aa0c69b58fd4e6ff87ec97502c0f27cd3645268739d984ab2c11ef21082331f8cf35a8d249797bd2f1999900bcdd2f1
SSDEEP

384:kyZQ8JO4NtuCH1jYLdS2llWo9MuE2TX5HhfUzYJYHMbn/w7xC03ioucE8vQeHnR5:tZ5O4NXYLdSm9KgHhfW2YuYdz4coex5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msport.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\wscsv.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\wtrmm.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\$$tmp.bat	19ae613b9e3d64d94ebf414265390ca6.exe
File opened for modification	C:\Windows\SysWOW64\until.ttc	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\msacn.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File opened for modification	C:\Windows\SysWOW64\msacn.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\fksdy.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\wgptl.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\hreax.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\wfdrd.dll	19ae613b9e3d64d94ebf414265390ca6.exe
File created	C:\Windows\SysWOW64\tmpFile	19ae613b9e3d64d94ebf414265390ca6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}\InProcServer32\ThreadingModel = "Apartment"	19ae613b9e3d64d94ebf414265390ca6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}	19ae613b9e3d64d94ebf414265390ca6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}\ = "Microsoft Data Tools Query Designe"	19ae613b9e3d64d94ebf414265390ca6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}\InProcServer32	19ae613b9e3d64d94ebf414265390ca6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}\InProcServer32\ = "C:\\Windows\\SysWow64\\msacn.dll"	19ae613b9e3d64d94ebf414265390ca6.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1720	19ae613b9e3d64d94ebf414265390ca6.exe
Token: SeRestorePrivilege	1720	19ae613b9e3d64d94ebf414265390ca6.exe
Token: SeBackupPrivilege	1720	19ae613b9e3d64d94ebf414265390ca6.exe
Token: SeRestorePrivilege	1720	19ae613b9e3d64d94ebf414265390ca6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2280	1720	19ae613b9e3d64d94ebf414265390ca6.exe	16
PID 1720 wrote to memory of 2280	1720	19ae613b9e3d64d94ebf414265390ca6.exe	16
PID 1720 wrote to memory of 2280	1720	19ae613b9e3d64d94ebf414265390ca6.exe	16
PID 1720 wrote to memory of 2280	1720	19ae613b9e3d64d94ebf414265390ca6.exe	16

C:\Users\Admin\AppData\Local\Temp\19ae613b9e3d64d94ebf414265390ca6.exe
"C:\Users\Admin\AppData\Local\Temp\19ae613b9e3d64d94ebf414265390ca6.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\system32\$$tmp.bat" "
  2⤵
  - Deletes itself
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\$$tmp.bat

Filesize
222B

MD5
e5894760ddf9d441859c8794eb038645

SHA1
087f10d361922e09c883c71069679563df6942fb

SHA256
f0604c72561c6c21922969ae7942d419ab3776a6c7021d15c55c331220016c99

SHA512
02e84ce74ad2b3c9411ba18b176dcfb8d3deef9b7547a22e8361d59566f474a5c3f0437284a6f8774a6521fac8128c69ec517dd3189cf5f6b60e0ba5fe7ae698

Download Submit
C:\Windows\SysWOW64\until.ttc

Filesize
18KB

MD5
5c31a15854535968293f49ad7107baeb

SHA1
a3971ef667bd81ec9d75c4054fd49c5ba9da3e4d

SHA256
7d2c558b6f69f62888ce08ed769a79595f5eca35d39247bef1a1ab94ed2a48d1

SHA512
6119fddc515fd24c1b7582152bfa6f3e76ac137a2d43d2d148b9a3b5aeab737be5404c7e193dcb7aac9838af3890334a3da730c55b05d8b07a481d8a1b7c2e90

Download Submit
memory/1720-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1720-18-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download