Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
4ee1fe5a7eae87277c898e6c98757e18.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4ee1fe5a7eae87277c898e6c98757e18.exe
Resource
win10v2004-20231222-en
General
-
Target
4ee1fe5a7eae87277c898e6c98757e18.exe
-
Size
629KB
-
MD5
4ee1fe5a7eae87277c898e6c98757e18
-
SHA1
a39f79d4ed22968ff8c447ea31e532b2fac918f6
-
SHA256
e6fb06214233bf43c1288b9e491753e2382beaaf170dd27e80a20d19f0273add
-
SHA512
ce8d99b5e32463628a618c47a7871515d3c068c9cc97411c2b98e7d3109973d33af134d6a56a5cc4ae6553aafd2283f14f0bf2bc48f569ef4a4864a3fdbc9c1c
-
SSDEEP
12288:wMutR5FemXj/0yN2zISiwKJGwjYI+HiF0N76lKdA3sPxDQoa:USYQyAcSbppN76QdA3sPxDQoa
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
MicrosoftApi.exeMicrosoftApi.exepid process 2664 MicrosoftApi.exe 2932 MicrosoftApi.exe -
Loads dropped DLL 1 IoCs
Processes:
4ee1fe5a7eae87277c898e6c98757e18.exepid process 2352 4ee1fe5a7eae87277c898e6c98757e18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2744 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MicrosoftApi.exepid process 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe 2932 MicrosoftApi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MicrosoftApi.exedescription pid process Token: SeDebugPrivilege 2932 MicrosoftApi.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4ee1fe5a7eae87277c898e6c98757e18.exeMicrosoftApi.execmd.exetaskeng.exedescription pid process target process PID 2352 wrote to memory of 2664 2352 4ee1fe5a7eae87277c898e6c98757e18.exe MicrosoftApi.exe PID 2352 wrote to memory of 2664 2352 4ee1fe5a7eae87277c898e6c98757e18.exe MicrosoftApi.exe PID 2352 wrote to memory of 2664 2352 4ee1fe5a7eae87277c898e6c98757e18.exe MicrosoftApi.exe PID 2664 wrote to memory of 2480 2664 MicrosoftApi.exe cmd.exe PID 2664 wrote to memory of 2480 2664 MicrosoftApi.exe cmd.exe PID 2664 wrote to memory of 2480 2664 MicrosoftApi.exe cmd.exe PID 2480 wrote to memory of 2744 2480 cmd.exe timeout.exe PID 2480 wrote to memory of 2744 2480 cmd.exe timeout.exe PID 2480 wrote to memory of 2744 2480 cmd.exe timeout.exe PID 2480 wrote to memory of 3068 2480 cmd.exe schtasks.exe PID 2480 wrote to memory of 3068 2480 cmd.exe schtasks.exe PID 2480 wrote to memory of 3068 2480 cmd.exe schtasks.exe PID 2516 wrote to memory of 2932 2516 taskeng.exe MicrosoftApi.exe PID 2516 wrote to memory of 2932 2516 taskeng.exe MicrosoftApi.exe PID 2516 wrote to memory of 2932 2516 taskeng.exe MicrosoftApi.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee1fe5a7eae87277c898e6c98757e18.exe"C:\Users\Admin\AppData\Local\Temp\4ee1fe5a7eae87277c898e6c98757e18.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"'4⤵
- Creates scheduled task(s)
PID:3068
-
-
-
-
C:\Windows\system32\timeout.exetimeout 41⤵
- Delays execution with timeout.exe
PID:2744
-
C:\Windows\system32\taskeng.exetaskeng.exe {D59492FF-1518-4039-9464-C7413ADCE93D} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exeC:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD5a75915b3af534eee2f9528ae3b125239
SHA109df91252cc0abac622d492133fb67b1d138fdec
SHA256f8811c8d5b59c70bf3438138b1b0ec8396214be3888b4b6122a9f7bc575ef0cd
SHA512a5125249af2da0c235b9de6301be72785a8062f48e7d023d1f8237ef484d56dde36c887680a7e63bca91122fdef0209b1042459ee3ab580b3d1bfca78ceebfc1
-
Filesize
629KB
MD54ee1fe5a7eae87277c898e6c98757e18
SHA1a39f79d4ed22968ff8c447ea31e532b2fac918f6
SHA256e6fb06214233bf43c1288b9e491753e2382beaaf170dd27e80a20d19f0273add
SHA512ce8d99b5e32463628a618c47a7871515d3c068c9cc97411c2b98e7d3109973d33af134d6a56a5cc4ae6553aafd2283f14f0bf2bc48f569ef4a4864a3fdbc9c1c