5a236c258c34a031cdfeff9821f4d8c706ea1cacf70fe7dd4f06dcf7c13725da

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592a8906d5d2f9f400c7bdacda767f99.exe
Size

164KB
MD5

592a8906d5d2f9f400c7bdacda767f99
SHA1

dc0ffc1b4fea0af06950e96fc7d4918c2141fb47
SHA256

5a236c258c34a031cdfeff9821f4d8c706ea1cacf70fe7dd4f06dcf7c13725da
SHA512

9379cd9e312afddf1b5b10947c92f2bfcbd936b4481885f64902ab9dcc3c45953c65b45f09d5c07640a6ea6991271d62c315d9d4e116ac0159ec580cec685e8a
SSDEEP

3072:98YFaqe9ZjBozEV+Rvq/nFBi14WOZJRHQCiTD8ukT1pB:9BEL9ZFooVcvS7iSpZ3H6D8ukT

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	svchest131640.exe

Loads dropped DLL 4 IoCs

pid	Process
2220	592a8906d5d2f9f400c7bdacda767f99.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchest131640.exe = "C:\\Program Files\\Common Files\\svchest131640.exe"	592a8906d5d2f9f400c7bdacda767f99.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\svchest.exe	svchest131640.exe
File created	C:\Program Files\Common Files\svchest131640.exe	592a8906d5d2f9f400c7bdacda767f99.exe
File opened for modification	C:\Program Files\Common Files\svchest131640.exe	592a8906d5d2f9f400c7bdacda767f99.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2084	taskkill.exe
2740	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe
2792	svchest131640.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2084	2220	592a8906d5d2f9f400c7bdacda767f99.exe	28
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2220 wrote to memory of 2792	2220	592a8906d5d2f9f400c7bdacda767f99.exe	31
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32
PID 2792 wrote to memory of 2740	2792	svchest131640.exe	32

C:\Users\Admin\AppData\Local\Temp\592a8906d5d2f9f400c7bdacda767f99.exe
"C:\Users\Admin\AppData\Local\Temp\592a8906d5d2f9f400c7bdacda767f99.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Program Files\Common Files\svchest131640.exe
  "C:\Program Files\Common Files\svchest131640.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ksafetray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\svchest131640.exe

Filesize
5.1MB

MD5
85d580d4caadc73dac91799f58e8cd72

SHA1
cbf69876e44fa104a3f64fe84cb1c06c7246132b

SHA256
69ca904ccb5195f6fc164586b5d7f42904a09f9361b0d896238f22db7bfdc0f7

SHA512
797450c4bfffad1a83c07a530abfd152ec5a628ce60bbca1dccb2519c12326966cec45f247572f3b1b6a984ea98c006f6cd92b3e2dc413a31e4e299eed8ba8ab

Download Submit
C:\Program Files\Common Files\svchest131640.exe

Filesize
2.9MB

MD5
6ac58320469d34bfb96106ec94d77c16

SHA1
28960bae48799beb6ba5f775e8fe1ac645214973

SHA256
554bd674e04501655302044b47b6ce6ab8d4a938da4bc453bb251814665f9987

SHA512
9e2868985e51c518ca4fb2b53b72415360427b9cc2fd3eb00a6e939a526b43246cbb3ed7099060a00e5107c0b484f85f4f8cbf864d816455ac3305a12a034539

Download Submit
C:\Program Files\svchest.exe

Filesize
122B

MD5
b646f10c05963261fddf00b98fc8ff15

SHA1
2b1470d55bd9977a1dc8cbb590ec89f96f1f0b2a

SHA256
ee1c772b65715554aafbf4d74a84046d786916677cb2223211a20c2aeff9c8ec

SHA512
810e8fcd9e3c16c0b16cf88dec0dfb661013fa4efbddae90fb6f72bd0e1e209c112db1fcccf1a62a399209edb89ea57a3730b57c9d0364be5cd62ad68bd4185c

Download Submit
\Program Files\Common Files\svchest131640.exe

Filesize
3.2MB

MD5
9d7c34ea9219e969e812037d4ea62575

SHA1
85ca6ad9cc8f4e67196e9c1acf5e883a7ba9c11a

SHA256
a4ca0d50e18286eada5a5eed20f08b4368091357a921df3e7881f9dcdadc5311

SHA512
6acabdf35bd033c5aad5c3606773d065b0a9cfdf05e4a17f8da39605ba1d86dc3c8496ca403b0de563a1601a1078bc73b9ccf65aec804a89e671934bed70e29a

Download Submit
\Program Files\Common Files\svchest131640.exe

Filesize
4.7MB

MD5
634d1f567ec0a98b5be692f52c5d48cd

SHA1
8942202e3e41686a5b64d90ac9656f034468b6bc

SHA256
c343b274a7bf759115f413e5452a43f1c1cce2e0e31e1c7027242e613059bdcb

SHA512
e2f7773c92954ca088f789e608ee684ebd659762b3b93b49472d3ea5bc79d32635e5257f3d928fea46cdf1d0a63528247370ba4bc6ac31757c8b84b017133213

Download Submit
\Program Files\Common Files\svchest131640.exe

Filesize
4.0MB

MD5
ca22f2f46d73d093f8326044e174df1a

SHA1
db07d2f319cb1e24cf56579c629dbc418ff59b67

SHA256
c0f3b6e16cfa11ae4f270026c2eddccd96a0664399d60b1b37c2f33a00fa9d0c

SHA512
caa7dde9f24ea23269e67c5fb7ee7db96d0159a120bcc2f1e8795dbb39ea45629cf3eeb7e7d801a20a887f2753e41f5f7c886db1d6d1eb5c2c4c42ea9833e5a9

Download Submit
\Program Files\Common Files\svchest131640.exe

Filesize
3.7MB

MD5
6117e4441952a20ad804abfbf036d11a

SHA1
0554ad4594b2ae5a9b302cce2394c29b7a559722

SHA256
e55407a00a7dab604b47b842bc068099c2ad3a366f518119ab96bc3e9831fac4

SHA512
a54608d5ab7af5caa63e0ab665a8dd1087605a917b7a23a101a48ccb5bff8fa1708e98fa728594c32c93663dad15b5bc086d8e1939a0d49ce2fbd0282e0657fe

Download Submit