1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 22:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe
Size

37KB
MD5

c9888d06d21e682ae62498e24880d139
SHA1

1dd9679e1792468116e7da109fdf3a89a4fa1bb2
SHA256

1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55
SHA512

205e2ed37e809bf7e7db818b5f55d99bfcaba55d3875301e5fb77285fb1e1c977b11ddd34358773145add1f405330f3b426b0c8bd0ab64600007e866c0ebc9ce
SSDEEP

768:MetU1hGx8VAXQul37B5t8Rsr55U9EuB6SLFo5:M+uM5iCc9Po4O5

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2204	attrib.exe
2192	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	$77cc.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	cmd.exe
2632	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\cc\\$77cc.exe\""	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2420	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2352	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe
2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe
2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe
Token: SeDebugPrivilege	2696	$77cc.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2192	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	28
PID 2320 wrote to memory of 2192	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	28
PID 2320 wrote to memory of 2192	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	28
PID 2320 wrote to memory of 2204	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	31
PID 2320 wrote to memory of 2204	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	31
PID 2320 wrote to memory of 2204	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	31
PID 2320 wrote to memory of 2632	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	34
PID 2320 wrote to memory of 2632	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	34
PID 2320 wrote to memory of 2632	2320	1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe	34
PID 2632 wrote to memory of 2352	2632	cmd.exe	32
PID 2632 wrote to memory of 2352	2632	cmd.exe	32
PID 2632 wrote to memory of 2352	2632	cmd.exe	32
PID 2632 wrote to memory of 2696	2632	cmd.exe	35
PID 2632 wrote to memory of 2696	2632	cmd.exe	35
PID 2632 wrote to memory of 2696	2632	cmd.exe	35
PID 2696 wrote to memory of 2468	2696	$77cc.exe	36
PID 2696 wrote to memory of 2468	2696	$77cc.exe	36
PID 2696 wrote to memory of 2468	2696	$77cc.exe	36
PID 2696 wrote to memory of 2420	2696	$77cc.exe	38
PID 2696 wrote to memory of 2420	2696	$77cc.exe	38
PID 2696 wrote to memory of 2420	2696	$77cc.exe	38
PID 2696 wrote to memory of 2480	2696	$77cc.exe	40
PID 2696 wrote to memory of 2480	2696	$77cc.exe	40
PID 2696 wrote to memory of 2480	2696	$77cc.exe	40
PID 2696 wrote to memory of 2896	2696	$77cc.exe	42
PID 2696 wrote to memory of 2896	2696	$77cc.exe	42
PID 2696 wrote to memory of 2896	2696	$77cc.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2192	attrib.exe
2204	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe
"C:\Users\Admin\AppData\Local\Temp\1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\cc"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2192
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\cc\$77cc.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2204
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Roaming\cc\$77cc.exe
    "C:\Users\Admin\AppData\Roaming\cc\$77cc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77cc.exe
      4⤵
      PID:2468
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77cc.exe" /TR "C:\Users\Admin\AppData\Roaming\cc\$77cc.exe \"\$77cc.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2420
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77cc.exe
      4⤵
      PID:2480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2896

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp.bat

Filesize
152B

MD5
1df8cc66bd904883fdb4c3d232f8c979

SHA1
3144b66ade2b5359a0e5e1de3c6b7b64e6cbaf0c

SHA256
eaa1b363e116ec6ace23d840bf768a88538ca6498330ddb667a55b50ae846bb0

SHA512
d5aec2fe6ea2c5f4cbb9829c0a485f932a060d1be3577e01bdbeef416cb83571703a245d25baa1be171b6f0e96e0f665b331520d891e2f43e121020af184b6a5

Download Submit
\Users\Admin\AppData\Roaming\cc\$77cc.exe

Filesize
37KB

MD5
c9888d06d21e682ae62498e24880d139

SHA1
1dd9679e1792468116e7da109fdf3a89a4fa1bb2

SHA256
1181cfd2b34e7be8a43ea7335ae541ee72c2fb50ab86c1ca0155864965766a55

SHA512
205e2ed37e809bf7e7db818b5f55d99bfcaba55d3875301e5fb77285fb1e1c977b11ddd34358773145add1f405330f3b426b0c8bd0ab64600007e866c0ebc9ce

Download Submit
memory/2320-1-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-2-0x000000001BAB0000-0x000000001BB30000-memory.dmp

Filesize
512KB

Download
memory/2320-3-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-13-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-0-0x000000013F300000-0x000000013F30C000-memory.dmp

Filesize
48KB

Download
memory/2696-33-0x000007FEF4700000-0x000007FEF50EC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-18-0x000000013F5A0000-0x000000013F5AC000-memory.dmp

Filesize
48KB

Download
memory/2696-19-0x000007FEF4700000-0x000007FEF50EC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-34-0x0000000000660000-0x00000000006E0000-memory.dmp

Filesize
512KB

Download
memory/2896-25-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2896-28-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2896-27-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2896-31-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2896-30-0x0000000002E34000-0x0000000002E37000-memory.dmp

Filesize
12KB

Download
memory/2896-29-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-32-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-26-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-24-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download