a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15-01-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2560 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

tmp.exe

pid process

2256 tmp.exe
2256 tmp.exe

pid	process
2560	svchost.exe

pid	process
2256	tmp.exe
2256	tmp.exe

Drops file in Windows directory 4 IoCs

Processes:

tmp.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2500 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe

pid process

2808 powershell.exe
2580 powershell.exe
2256 tmp.exe
1076 powershell.exe
364 powershell.exe

pid	process
2500	schtasks.exe

pid	process
2808	powershell.exe
2580	powershell.exe
2256	tmp.exe
1076	powershell.exe
364	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

tmp.exesvchost.exe

description	pid	process	target process
PID 2256 wrote to memory of 2808	2256	tmp.exe	powershell.exe
PID 2256 wrote to memory of 2808	2256	tmp.exe	powershell.exe
PID 2256 wrote to memory of 2808	2256	tmp.exe	powershell.exe
PID 2256 wrote to memory of 2580	2256	tmp.exe	powershell.exe
PID 2256 wrote to memory of 2580	2256	tmp.exe	powershell.exe
PID 2256 wrote to memory of 2580	2256	tmp.exe	powershell.exe
PID 2256 wrote to memory of 1056	2256	tmp.exe	schtasks.exe
PID 2256 wrote to memory of 1056	2256	tmp.exe	schtasks.exe
PID 2256 wrote to memory of 1056	2256	tmp.exe	schtasks.exe
PID 2256 wrote to memory of 2500	2256	tmp.exe	schtasks.exe
PID 2256 wrote to memory of 2500	2256	tmp.exe	schtasks.exe
PID 2256 wrote to memory of 2500	2256	tmp.exe	schtasks.exe
PID 2256 wrote to memory of 2560	2256	tmp.exe	svchost.exe
PID 2256 wrote to memory of 2560	2256	tmp.exe	svchost.exe
PID 2256 wrote to memory of 2560	2256	tmp.exe	svchost.exe
PID 2560 wrote to memory of 1076	2560	svchost.exe	powershell.exe
PID 2560 wrote to memory of 1076	2560	svchost.exe	powershell.exe
PID 2560 wrote to memory of 1076	2560	svchost.exe	powershell.exe
PID 2560 wrote to memory of 364	2560	svchost.exe	powershell.exe
PID 2560 wrote to memory of 364	2560	svchost.exe	powershell.exe
PID 2560 wrote to memory of 364	2560	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1056

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2500

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14ddfffd043535794f4f81e36bcddbc9

SHA1
5c5af5371551bc3ce6ba9f49c4fcf1d7c3f992fe

SHA256
31bcb7d672db1666f959e310a4569106ecf26d4ffa2cf4db016149beb852fd5c

SHA512
f7d78c4e286dad0c4bb154fe4d7e81a3d2d3c840a178de8b446de0959d0847c233ac291fc365ad45a0976a626cbba4bc723075ecd96ebfe6deea428d983e8167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d9ecfb8ab4274abb6b6832ae6bfbe91

SHA1
649e48356eaf2b5fa1a0210cadcda3e6692c7ec0

SHA256
943f8d22bff27a33454e57fdc1135eef4c37f907a5f2116eb742bfe54d21377d

SHA512
2d7e91523cd4948d1b8fd72e6ec505a8313e744bda7663403a045f10b9c66c8a6c584aa5d5f8f97f16a603936c95cb58295cb846645fc3da269932834095aaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab389F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84DE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a37c0194e93be25a4cc965d8bc70b7d3

SHA1
55024bdecfa01f56680632f41e19f5793bf9af6e

SHA256
fedb2c87fa1f93c121a71767e81c122f08a2b2b5f55558d2872d56ed7b41259b

SHA512
434ef257a1c2a6b52d3a503a7ea8f65cd51f67bf7e2c68eaa0c6c1e6da83e617210b1ec27821864421a150e1a1ed6545e7d6807807b81d770b9c08761eeaaa2a

Download Submit
C:\Windows\system\svchost.exe

Filesize
1.2MB

MD5
af8eb7777d133661610040d8c1497288

SHA1
8e30fc6cbdfd4a0c3fce8f8d4c6619bfb2f707ef

SHA256
4c422e1230675cfbfbac7428d9c49b774036902b84c4eb87dddaab8810dbbf9b

SHA512
013c09255401ff450be0a6c2dd22ee14ec316d0135171ca3e5638692594e311ba65c580e02b9e5b1dd39856e46aba0ff076f6206ba6edb738eac5b147f457afb

Download Submit
C:\Windows\system\svchost.exe

Filesize
512KB

MD5
2fad7dac38eb3677748c38ad6246a2f3

SHA1
0fc48498edbc54cc6bd744b6ed538c6678f22a2e

SHA256
b837d89f88b6d9e1e2f878c11ac398cd5c95923432f3dd802ef099301b530062

SHA512
93e79a3e65d8f03ab6b5f5bb2f2c66391b9892729e30c7a172b780e8a0eb5051d7dc79ec59eba5c6cd25624c6a8f824d54fea87a96099282e8ea20effb1e963c

Download Submit
\Windows\system\svchost.exe

Filesize
128KB

MD5
3ab7cd964b1f3ae6fd3148069df9a548

SHA1
93ce3700f67efe36722975ca2354405fa28d9335

SHA256
2165f89a8d6d4667f46546acbfba82eaa04d75ab3fb92a458a1c594bc8df4fbd

SHA512
7e3c396123a3dbb2147bb042b67a75590d9c28e34329f750ece9a724630256050661e43a90cbc9f776c00ae9d2ed4b325eeab29b709672c8d65631a076f3cd78

Download Submit
\Windows\system\svchost.exe

Filesize
576KB

MD5
60bceee241e3b6c213e7a2446196121d

SHA1
c03527bc4ff459f5c1b351ce1cf6dc6a7d8aca40

SHA256
5a3d7a0733bd08b49b1e61d3c1a2dc77236371cd3e6374712f6ec13de3f0cea0

SHA512
63426e59bc7d8a42c6de232eb7b965ca7b024bcc27ad06a23c5fe06a7d1a49865a96e83c8910f42f618f5f986cdf810f6885279cbd207d3e9dcb29c10e6c7b35

Download Submit
memory/364-59-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/364-60-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/364-66-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/364-64-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/364-63-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/364-62-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/364-61-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/1076-49-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/1076-47-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1076-67-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/1076-65-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1076-54-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1076-53-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1076-52-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/1076-50-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1076-48-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2256-40-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2256-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2256-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2256-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2256-38-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2256-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2256-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2560-68-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/2560-41-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2580-14-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2580-23-0x000000000285B000-0x00000000028C2000-memory.dmp

Filesize
412KB

Download
memory/2580-22-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2580-20-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2580-21-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-15-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2808-17-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2808-26-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-19-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2808-25-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2808-16-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-18-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-24-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download