94ed2e768203ca7daafc43a856cff692ab4b78266b60a0bd70d206c9ae59917e

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2be70f74bd9dc5739d049d15eeb03e1a.exe
Size

18KB
MD5

2be70f74bd9dc5739d049d15eeb03e1a
SHA1

bf73f546ed6d4364c430eb4d0a8ec7556ec33857
SHA256

94ed2e768203ca7daafc43a856cff692ab4b78266b60a0bd70d206c9ae59917e
SHA512

7ddec3d492121131890d29c0b4a6e19a55297867d4c99c387324627bc723deb1713003740d38b925148cb3b12cb639ea4a699d59f85575c6c40332e4f012174e
SSDEEP

384:grJ+ftGb/hq/lNcExd52UXtXNKDZDtIFyu32Tt1bUW:gVWcb/6lNcEZLtX4DZDmT32vUW

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\msosfpids32.sys	2be70f74bd9dc5739d049d15eeb03e1a.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msosping00.dll	2be70f74bd9dc5739d049d15eeb03e1a.exe
File opened for modification	C:\Windows\SysWOW64\msosping00.dll	2be70f74bd9dc5739d049d15eeb03e1a.exe
File opened for modification	C:\Windows\SysWOW64\msosping.dat	2be70f74bd9dc5739d049d15eeb03e1a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	2be70f74bd9dc5739d049d15eeb03e1a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe
1536	2be70f74bd9dc5739d049d15eeb03e1a.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 616	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	88
PID 1536 wrote to memory of 676	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	1
PID 1536 wrote to memory of 764	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	2
PID 1536 wrote to memory of 768	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	86
PID 1536 wrote to memory of 788	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	85
PID 1536 wrote to memory of 896	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	84
PID 1536 wrote to memory of 952	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	83
PID 1536 wrote to memory of 384	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	3
PID 1536 wrote to memory of 428	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	82
PID 1536 wrote to memory of 656	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	81
PID 1536 wrote to memory of 1040	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	80
PID 1536 wrote to memory of 1140	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	4
PID 1536 wrote to memory of 1148	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	79
PID 1536 wrote to memory of 1156	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	78
PID 1536 wrote to memory of 1164	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	5
PID 1536 wrote to memory of 1232	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	77
PID 1536 wrote to memory of 1296	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	76
PID 1536 wrote to memory of 1312	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	75
PID 1536 wrote to memory of 1408	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	74
PID 1536 wrote to memory of 1424	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	73
PID 1536 wrote to memory of 1588	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	72
PID 1536 wrote to memory of 1612	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	71
PID 1536 wrote to memory of 1632	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	70
PID 1536 wrote to memory of 1724	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	69
PID 1536 wrote to memory of 1740	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	68
PID 1536 wrote to memory of 1776	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	67
PID 1536 wrote to memory of 1860	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	66
PID 1536 wrote to memory of 1936	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	65
PID 1536 wrote to memory of 1944	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	64
PID 1536 wrote to memory of 1368	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	63
PID 1536 wrote to memory of 1532	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	62
PID 1536 wrote to memory of 1604	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	61
PID 1536 wrote to memory of 2148	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	6
PID 1536 wrote to memory of 2196	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	60
PID 1536 wrote to memory of 2264	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	59
PID 1536 wrote to memory of 2364	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	58
PID 1536 wrote to memory of 2508	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	15
PID 1536 wrote to memory of 2516	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	14
PID 1536 wrote to memory of 2644	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	13
PID 1536 wrote to memory of 2660	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	12
PID 1536 wrote to memory of 2756	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	11
PID 1536 wrote to memory of 2768	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	10
PID 1536 wrote to memory of 2824	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	7
PID 1536 wrote to memory of 2832	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	9
PID 1536 wrote to memory of 2852	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	8
PID 1536 wrote to memory of 2864	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	57
PID 1536 wrote to memory of 3012	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	56
PID 1536 wrote to memory of 3104	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	55
PID 1536 wrote to memory of 3448	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	53
PID 1536 wrote to memory of 3472	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	52
PID 1536 wrote to memory of 3612	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	51
PID 1536 wrote to memory of 3828	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	50
PID 1536 wrote to memory of 3944	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	49
PID 1536 wrote to memory of 4008	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	48
PID 1536 wrote to memory of 3100	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	47
PID 1536 wrote to memory of 3468	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	46
PID 1536 wrote to memory of 4636	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	42
PID 1536 wrote to memory of 4704	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	41
PID 1536 wrote to memory of 4396	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	40
PID 1536 wrote to memory of 1204	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	39
PID 1536 wrote to memory of 2396	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	37
PID 1536 wrote to memory of 4876	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	36
PID 1536 wrote to memory of 2036	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	35
PID 1536 wrote to memory of 2492	1536	2be70f74bd9dc5739d049d15eeb03e1a.exe	34

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1164

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2832

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\2be70f74bd9dc5739d049d15eeb03e1a.exe
"C:\Users\Admin\AppData\Local\Temp\2be70f74bd9dc5739d049d15eeb03e1a.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\2be70f74bd9dc5739d049d15eeb03e1a.exe"
  2⤵
  PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:832

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:2572

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1356

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2492

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4704

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3472

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-12-0x000000003B570000-0x000000003B571000-memory.dmp

Filesize
4KB

Download
memory/1424-32-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1536-6-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download