a5f75dc3c655807e5405fe51934d17cbcab4580c8b0895acc38e5fb4f9a113c8

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c4e54d930eee8ff1b8e570cd6f7f38e.exe
Size

29KB
MD5

8c4e54d930eee8ff1b8e570cd6f7f38e
SHA1

bc7e30ea8bb350cb4d828323e8487b5ab4494e18
SHA256

a5f75dc3c655807e5405fe51934d17cbcab4580c8b0895acc38e5fb4f9a113c8
SHA512

67cf1411172a633c7db64c4f91768104c40e1884e3862ace5254c69a24b0a45e19ba8f3b7c8ec1de1ca678b0f4f0e4a47dff4d009066de9520541751e2c80ccb
SSDEEP

768:pooL1v7eL4VBz7Pd0pz1FlERRPMpTF8FTZhYC5ubY6hiBL:h17eL4VBzLS5FlERi24bY6hiBL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3032	svchost32.exe
588	services32.exe

Loads dropped DLL 2 IoCs

pid	Process
576	cmd.exe
3032	svchost32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2004	powershell.exe
3008	powershell.exe
2736	powershell.exe
1412	powershell.exe
3032	svchost32.exe
2396	powershell.exe
952	powershell.exe
1516	powershell.exe
2508	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	3032	svchost32.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1248	2088	8c4e54d930eee8ff1b8e570cd6f7f38e.exe	29
PID 2088 wrote to memory of 1248	2088	8c4e54d930eee8ff1b8e570cd6f7f38e.exe	29
PID 2088 wrote to memory of 1248	2088	8c4e54d930eee8ff1b8e570cd6f7f38e.exe	29
PID 1248 wrote to memory of 2004	1248	cmd.exe	30
PID 1248 wrote to memory of 2004	1248	cmd.exe	30
PID 1248 wrote to memory of 2004	1248	cmd.exe	30
PID 1248 wrote to memory of 3008	1248	cmd.exe	31
PID 1248 wrote to memory of 3008	1248	cmd.exe	31
PID 1248 wrote to memory of 3008	1248	cmd.exe	31
PID 1248 wrote to memory of 2736	1248	cmd.exe	32
PID 1248 wrote to memory of 2736	1248	cmd.exe	32
PID 1248 wrote to memory of 2736	1248	cmd.exe	32
PID 1248 wrote to memory of 1412	1248	cmd.exe	33
PID 1248 wrote to memory of 1412	1248	cmd.exe	33
PID 1248 wrote to memory of 1412	1248	cmd.exe	33
PID 2088 wrote to memory of 576	2088	8c4e54d930eee8ff1b8e570cd6f7f38e.exe	36
PID 2088 wrote to memory of 576	2088	8c4e54d930eee8ff1b8e570cd6f7f38e.exe	36
PID 2088 wrote to memory of 576	2088	8c4e54d930eee8ff1b8e570cd6f7f38e.exe	36
PID 576 wrote to memory of 3032	576	cmd.exe	38
PID 576 wrote to memory of 3032	576	cmd.exe	38
PID 576 wrote to memory of 3032	576	cmd.exe	38
PID 3032 wrote to memory of 2336	3032	svchost32.exe	40
PID 3032 wrote to memory of 2336	3032	svchost32.exe	40
PID 3032 wrote to memory of 2336	3032	svchost32.exe	40
PID 2336 wrote to memory of 1496	2336	cmd.exe	41
PID 2336 wrote to memory of 1496	2336	cmd.exe	41
PID 2336 wrote to memory of 1496	2336	cmd.exe	41
PID 3032 wrote to memory of 588	3032	svchost32.exe	48
PID 3032 wrote to memory of 588	3032	svchost32.exe	48
PID 3032 wrote to memory of 588	3032	svchost32.exe	48
PID 3032 wrote to memory of 1944	3032	svchost32.exe	42
PID 3032 wrote to memory of 1944	3032	svchost32.exe	42
PID 3032 wrote to memory of 1944	3032	svchost32.exe	42
PID 1944 wrote to memory of 432	1944	cmd.exe	45
PID 1944 wrote to memory of 432	1944	cmd.exe	45
PID 1944 wrote to memory of 432	1944	cmd.exe	45
PID 588 wrote to memory of 708	588	services32.exe	44
PID 588 wrote to memory of 708	588	services32.exe	44
PID 588 wrote to memory of 708	588	services32.exe	44
PID 708 wrote to memory of 2396	708	cmd.exe	47
PID 708 wrote to memory of 2396	708	cmd.exe	47
PID 708 wrote to memory of 2396	708	cmd.exe	47
PID 708 wrote to memory of 952	708	cmd.exe	49
PID 708 wrote to memory of 952	708	cmd.exe	49
PID 708 wrote to memory of 952	708	cmd.exe	49
PID 708 wrote to memory of 1516	708	cmd.exe	50
PID 708 wrote to memory of 1516	708	cmd.exe	50
PID 708 wrote to memory of 1516	708	cmd.exe	50
PID 708 wrote to memory of 2508	708	cmd.exe	51
PID 708 wrote to memory of 2508	708	cmd.exe	51
PID 708 wrote to memory of 2508	708	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c4e54d930eee8ff1b8e570cd6f7f38e.exe
"C:\Users\Admin\AppData\Local\Temp\8c4e54d930eee8ff1b8e570cd6f7f38e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\8c4e54d930eee8ff1b8e570cd6f7f38e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\8c4e54d930eee8ff1b8e570cd6f7f38e.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:432
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:588

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
22KB

MD5
2a47ccad101ae3934d98d238ebd02fdf

SHA1
91ed0d68f043bb254dfcd03a6da628763c585b17

SHA256
7eb6f1250ef138a6d391a162d246303dd215a947ac6fbd952e2b7b8396b0739e

SHA512
23ce36c5285a7be5962430c2ff0d645b544f32db171935f7c83778856acdd04cb6f1d520b238cefbb9e9390447377b809240c9ef8577479e4e98b747039e50b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4faf44f36d3f918ac491b4bb6a65d647

SHA1
e73b01b968449ab51cb244075c4ea5bcbaa17447

SHA256
614f07d968c3ac2130421c8555c7d15e2c61843fb3d05009b23f8afc6a160223

SHA512
49128bdf054b48ede7f52bbcace4b068d5c4de78c1701f21a8453dd703eccc173c166fc5a6da0436ed1ec72c2e6b074c517cb4def3f0ce7d9433f0b0a59f20d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KUUE68B4VSGLM2A9QV2S.temp

Filesize
7KB

MD5
4bd8dab00f3a6c3eba0a681ce8de40c6

SHA1
8a43750b9a31d21afa44150b3abd9cf6f4cdb892

SHA256
31903f4e56380d3e1469978931453ec268566367c90541d189f8eeea1ad0c2cb

SHA512
e5165e1b1b32c4b178599c03106e774c6dfb155382028834e079091ef0eb74457859ea6efa11dec4600c8d715051e56cb97ef47edb1909594847a73b1cb179c2

Download Submit
C:\Windows\System32\services32.exe

Filesize
29KB

MD5
8c4e54d930eee8ff1b8e570cd6f7f38e

SHA1
bc7e30ea8bb350cb4d828323e8487b5ab4494e18

SHA256
a5f75dc3c655807e5405fe51934d17cbcab4580c8b0895acc38e5fb4f9a113c8

SHA512
67cf1411172a633c7db64c4f91768104c40e1884e3862ace5254c69a24b0a45e19ba8f3b7c8ec1de1ca678b0f4f0e4a47dff4d009066de9520541751e2c80ccb

Download Submit
memory/588-70-0x000000013F880000-0x000000013F88C000-memory.dmp

Filesize
48KB

Download
memory/588-73-0x000000001BFB0000-0x000000001C030000-memory.dmp

Filesize
512KB

Download
memory/588-72-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/952-90-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/952-94-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/952-95-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/952-92-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/952-91-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/952-93-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/952-96-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/1412-50-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1412-49-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/1412-48-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1412-54-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/1412-47-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/1412-53-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1412-52-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1516-103-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/1516-109-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/1516-107-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/1516-108-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1516-106-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1516-104-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1516-105-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2004-15-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-8-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-14-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2004-13-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2004-7-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2004-12-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-11-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2004-10-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2004-9-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2088-61-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-41-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-0-0x000000013FCF0000-0x000000013FCFC000-memory.dmp

Filesize
48KB

Download
memory/2088-51-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/2088-2-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/2088-1-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-83-0x000000000273B000-0x00000000027A2000-memory.dmp

Filesize
412KB

Download
memory/2396-79-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2396-80-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/2396-81-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2396-82-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/2396-84-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-37-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2736-34-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-35-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2736-36-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-38-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2736-40-0x000007FEF2CB0000-0x000007FEF364D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-39-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/3008-22-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-28-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-27-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/3008-25-0x000007FEF2310000-0x000007FEF2CAD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-26-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/3008-24-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/3008-23-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/3008-21-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/3032-60-0x000000013F120000-0x000000013F12A000-memory.dmp

Filesize
40KB

Download
memory/3032-62-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-63-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/3032-71-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download