b5c7ccd5354e20fa244581b70a679d0a91f08c3634d09b9a8ffbf130258c30b6

Analysis

max time kernel
2s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 09:07

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

vaultFile7494906008829096493.exe
Size

24.4MB
MD5

316213c6c37cd4a79f7391e228871bad
SHA1

112b5f4812e84cf98f476c041a99d462ec183c8f
SHA256

b5c7ccd5354e20fa244581b70a679d0a91f08c3634d09b9a8ffbf130258c30b6
SHA512

6bf74e2c7541c11de05d256779e7160aab8ea773587dd1e5620ec08268972c2eaf666ba89ff15a9be582268ea4e4116902f1869738057981c1c18ffd0ab6b1f3
SSDEEP

393216:OrohOyMjBoiDBsVz3CSwBLwCt+w+SbGgX2ndHeyDvxkJdydJgFqHJT/dT50HoXJa:co/RCSwBLdtySbG5d+YBdJgwZ/x6Is

Score

10^/10

evasion upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023133-69.dat	upx
behavioral2/memory/4692-70-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral2/memory/4692-126-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4124	sc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2160	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: 36	1984	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 832	4052	vaultFile7494906008829096493.exe	90
PID 4052 wrote to memory of 832	4052	vaultFile7494906008829096493.exe	90
PID 832 wrote to memory of 1984	832	cmd.exe	92
PID 832 wrote to memory of 1984	832	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- C:\Users\Admin\AppData\Local\Temp\wns70FA.tmp
  windowsnetservicehelpersetup.exe /S
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\net.exe
    "net" stop windowsnetservicehelper.exe
    3⤵
    PID:3320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop windowsnetservicehelper.exe
      4⤵
      PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /IM windowsnetservicehelper.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:2160
- - C:\Windows\SysWOW64\sc.exe
    "sc" delete windowsnetservicehelper.exe
    3⤵
    - Launches sc.exe
    PID:4124
- - C:\Program Files (x86)\WindowsNetService\windowsnetservicehelper.exe
    "windowsnetservicehelper.exe" start
    3⤵
    PID:4792
- - C:\Program Files (x86)\WindowsNetService\windowsnetservicehelper.exe
    "windowsnetservicehelper.exe" install
    3⤵
    PID:2932
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
  2⤵
  PID:1020
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    PID:2884
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    PID:3240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over678485\v32.cab') }"
  2⤵
  PID:3476
- C:\Windows\SysWOW64\expand.exe
  "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over678485
  2⤵
  PID:2136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over678485\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
  2⤵
  PID:2996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over125479\v32.cab') }"
  2⤵
  PID:4492

C:\Program Files (x86)\WindowsNetService\windowsnetservicehelper.exe
"C:\Program Files (x86)\WindowsNetService\windowsnetservicehelper.exe"
1⤵
PID:4412
- C:\Program Files (x86)\WindowsNetService\node.exe
  "C:\Program Files (x86)\WindowsNetService\node.exe" "C:\Program Files (x86)\WindowsNetService\service.js"
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:4572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b1055 /state1:0x41c64e6d
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsNetService\node.exe

Filesize
393KB

MD5
190b99c0a797cc6e8948048a0103706f

SHA1
b61776d9037fdd6559f9316d8a742620e93ad67f

SHA256
fac38284287c1713129518801b78e75100a5be9f00f4596bf303f797a81f3034

SHA512
c36296be701cda9fe3267ed8ef930cd85291589240fc40c7d79877dbe9b0b2e353cdda96cb4ef1ad62009bb14634de9f1caaf7bdf2e7552b2ba484ef6be8ec76

Download Submit
C:\Program Files (x86)\WindowsNetService\service.js

Filesize
187KB

MD5
d0ba157ed94ae9af534fb736c1736f21

SHA1
398f9decf25a8b210bd073ad23ced6a4a327607c

SHA256
af02abaf88d6fc700c36128b42593c81711972639ea41e70c49c6894aa746747

SHA512
e657857f425d475a1a5663b25f3b4761696aaa19ef8d614021cde1411d29f8a358beaeb3ed593f695890441e79d62575111078120f4e50cd79151e5e04b79802

Download Submit
C:\Program Files (x86)\WindowsNetService\windowsnetservicehelper.exe

Filesize
118KB

MD5
c48855fe677eb4d5c999c01eccfdb0bc

SHA1
fa5d96cbde348756b0b9b10d5ab139913e636831

SHA256
e721fce186944a3a5c0e822dd4ba71754b217f9cd153707c49d76fcfcb297c06

SHA512
adf3d91c123240b1ffc5eaae9afb4d512d272b1c76f3ac89d2088e30f3f456c46a8141155890097b237e1d6e385514fc1d2d4b9a2c3a78a601dd741cd461877e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c9df971a2252580fdc4273e36310e8bf

SHA1
9daae28021ac99b17356e163253b1c1baa52909e

SHA256
00c47f0a790cbb386ea3f1e1ae9240c268fdd0ffa147572e580be270715ba808

SHA512
01f61317371cb583bbffe183667457bf182e9e90375a0f46753e9fcec4565956a114ab33905f45f7a40bc20a08a3c524693e1321a25837853cea767610682d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
32469aebf80a9d63e68d39e2448d835f

SHA1
851d5dc31f85a43784a753e894e61ea987af937a

SHA256
3634d16d1c49d34b3a9255b29ca86962d1ad974b38e5ba435057e6fedb480c42

SHA512
f65b9df3b051068881fb8859a48c70a76a5ceef77f12d993575fcb0a4a5ba487df04eafe00c565339d31a87e6cf0b9ca29d315c49d9cee8cc3ba988ca66888a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xrf3dcnw.nrd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
61KB

MD5
8906cdf2bc20787c5904b2414c83d422

SHA1
22ccea23a5b71e152946bd8c875a36f36d6cb761

SHA256
ec5a64fb2aec27a1f98ea6c2b561c9b10c9421dd45aace1c8e6f8627bc0692d5

SHA512
2683eda8ae9e9be8b0c9db2c5bdcd3a91b6e30c3c1ed18e1aaf0f7ff4065dab93e706c55dd108006e5e49933b94ff86442f2b823b6f30ec38ff540e0247dcba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc7292.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\over678485\VersionDescriptor.xml

Filesize
20KB

MD5
36006e23636de936765a998c3926ce94

SHA1
7aea69d5726932dab77202a9f838000619d9c5c6

SHA256
5e8b15b6c7403faf57eecbca1937172f584e9a5ce1e3ef977a755533638562c9

SHA512
129a9663dc7bd56cc2ee3a819fd0f895acec5394c600a4332f1ac9753bedbcea8c760e71636ef709b23baae9dd9bfeac292eca374c5ea3c7a0fcd6f089c5b5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\over678485\v32.cab

Filesize
11KB

MD5
e95f51661259675bedbbf89ac79c2287

SHA1
661d5f4317febd3f861053e35b66d3114ea9b5eb

SHA256
0234f27aa59e3fbd76564156d5c160c6a9dcb9531ce99db9d4a3fa6885445fed

SHA512
89938c8680e89ed23f48eb8f43ce18a871499db51ea69f11dea0e2e76016c4b51dddd39708969bd29de9582def7bce8fdf3236c73c94838b47b26bd581e5e1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\over678485\v32.txt

Filesize
20KB

MD5
f571b1241a47846353fa8361711141fb

SHA1
a42abb5f24321006f69dd9f26849a50ca0dbd283

SHA256
069daf9a2d18698e33d5f8728036908f9fcce3a22b394a983a31853f99c788d6

SHA512
2294e64d10b123385c8505224edea5e2c75bc6381317065713028728914958e2661dbbfe4524803acef6b55d7d5240ab00c6d78cbb1a7953c617cbf2c81c2494

Download Submit
C:\Users\Admin\AppData\Local\Temp\wns70FA.tmp

Filesize
1.5MB

MD5
217343b45d7f38ff7c5b5f4877591338

SHA1
d09bcf1afb224bd07997df90d5c78416cbca9c21

SHA256
5c9a00a5e046e2156a7268d230af46b6f009959f17ff4b13d45aaa0785028931

SHA512
dbad1ed870dfcedcdc0f24e162cd3db3919009b634b279496814f175982213b42071fdf2d7dbb408eb58af1191460fc5d4bdadbaf6ad0dab0c63f2c8780bb0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wns70FA.tmp

Filesize
1.4MB

MD5
aadf3767babc3c96f9d2bc6a50b54d45

SHA1
390269d8fc15f1054d29f979fb7cd27e7a937ddc

SHA256
fe6d258bf125ca5dc134cd4e7c667e945fdb8449704fbb17ed8e4f950fb7cca7

SHA512
402fe324101b4e1244becfd5826221dc333da05d72248cc0163ab4b7a0299cd89557ad067fe2dd20c8a8c28c892c5a3748c269ebf07f8ed8ebbc25e84033b94f

Download Submit
memory/2996-102-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/2996-88-0x0000000072760000-0x0000000072F10000-memory.dmp

Filesize
7.7MB

Download
memory/2996-109-0x0000000072760000-0x0000000072F10000-memory.dmp

Filesize
7.7MB

Download
memory/2996-105-0x0000000007E10000-0x00000000083B4000-memory.dmp

Filesize
5.6MB

Download
memory/2996-103-0x0000000006BD0000-0x0000000006C66000-memory.dmp

Filesize
600KB

Download
memory/2996-104-0x0000000006BA0000-0x0000000006BC2000-memory.dmp

Filesize
136KB

Download
memory/2996-101-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/2996-96-0x0000000006010000-0x0000000006364000-memory.dmp

Filesize
3.3MB

Download
memory/2996-89-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/3476-34-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/3476-37-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/3476-35-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/3476-81-0x0000000072700000-0x0000000072EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3476-74-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/3476-75-0x00000000068C0000-0x00000000068DA000-memory.dmp

Filesize
104KB

Download
memory/3476-66-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/3476-36-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/3476-33-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3476-67-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/3476-71-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3476-30-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/3476-32-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3476-31-0x0000000072700000-0x0000000072EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3476-54-0x0000000005F80000-0x00000000062D4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-113-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4492-112-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4492-111-0x0000000072760000-0x0000000072F10000-memory.dmp

Filesize
7.7MB

Download
memory/4492-124-0x0000000072760000-0x0000000072F10000-memory.dmp

Filesize
7.7MB

Download
memory/4692-70-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/4692-126-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads