Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2024 17:09

General

  • Target

    4ee1fe5a7eae87277c898e6c98757e18.exe

  • Size

    629KB

  • MD5

    4ee1fe5a7eae87277c898e6c98757e18

  • SHA1

    a39f79d4ed22968ff8c447ea31e532b2fac918f6

  • SHA256

    e6fb06214233bf43c1288b9e491753e2382beaaf170dd27e80a20d19f0273add

  • SHA512

    ce8d99b5e32463628a618c47a7871515d3c068c9cc97411c2b98e7d3109973d33af134d6a56a5cc4ae6553aafd2283f14f0bf2bc48f569ef4a4864a3fdbc9c1c

  • SSDEEP

    12288:wMutR5FemXj/0yN2zISiwKJGwjYI+HiF0N76lKdA3sPxDQoa:USYQyAcSbppN76QdA3sPxDQoa

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ee1fe5a7eae87277c898e6c98757e18.exe
    "C:\Users\Admin\AppData\Local\Temp\4ee1fe5a7eae87277c898e6c98757e18.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
      "C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:3068
  • C:\Windows\system32\timeout.exe
    timeout 4
    1⤵
    • Delays execution with timeout.exe
    PID:2744
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D59492FF-1518-4039-9464-C7413ADCE93D} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
      C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.cmd

    Filesize

    258B

    MD5

    a75915b3af534eee2f9528ae3b125239

    SHA1

    09df91252cc0abac622d492133fb67b1d138fdec

    SHA256

    f8811c8d5b59c70bf3438138b1b0ec8396214be3888b4b6122a9f7bc575ef0cd

    SHA512

    a5125249af2da0c235b9de6301be72785a8062f48e7d023d1f8237ef484d56dde36c887680a7e63bca91122fdef0209b1042459ee3ab580b3d1bfca78ceebfc1

  • \Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe

    Filesize

    629KB

    MD5

    4ee1fe5a7eae87277c898e6c98757e18

    SHA1

    a39f79d4ed22968ff8c447ea31e532b2fac918f6

    SHA256

    e6fb06214233bf43c1288b9e491753e2382beaaf170dd27e80a20d19f0273add

    SHA512

    ce8d99b5e32463628a618c47a7871515d3c068c9cc97411c2b98e7d3109973d33af134d6a56a5cc4ae6553aafd2283f14f0bf2bc48f569ef4a4864a3fdbc9c1c

  • memory/2352-11-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

  • memory/2352-1-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

  • memory/2352-0-0x000000013FF30000-0x000000013FFD2000-memory.dmp

    Filesize

    648KB

  • memory/2664-20-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

  • memory/2664-9-0x000000013F3C0000-0x000000013F462000-memory.dmp

    Filesize

    648KB

  • memory/2664-10-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

    Filesize

    9.9MB

  • memory/2932-22-0x000000013FEB0000-0x000000013FF52000-memory.dmp

    Filesize

    648KB

  • memory/2932-23-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

    Filesize

    9.9MB

  • memory/2932-24-0x000000001CD70000-0x000000001CDF0000-memory.dmp

    Filesize

    512KB

  • memory/2932-25-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

    Filesize

    9.9MB

  • memory/2932-26-0x000000001CD70000-0x000000001CDF0000-memory.dmp

    Filesize

    512KB

  • memory/2932-27-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

    Filesize

    9.9MB