605b0c05b321ec9ef7c068d2c59bfda325eedc7e07ab149fcb28e7aa9712b13b

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ad92144516618480fb1deeed0fe3cb4.exe
Size

8KB
MD5

9ad92144516618480fb1deeed0fe3cb4
SHA1

65bb4166fb3701804287c53d7b9d4238c38efcd6
SHA256

605b0c05b321ec9ef7c068d2c59bfda325eedc7e07ab149fcb28e7aa9712b13b
SHA512

47601933aa05de85581c00ed6429761e61e8d72a1e7fa5effc07c25c5da903e8e93b794d59e9cfc5b4b5d0cc54e36e94af8673ae3fe5e631e6d630e076ad7b0a
SSDEEP

192:4ykNslHnUh+6qQ0rKt9KZ6YSxDR53ebjslP1oyR1c:LkNslHa+RzwDDR5ubju1v+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1164	chksrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "c:\\users\\admin\\appdata\\local\\chksrv.exe"	9ad92144516618480fb1deeed0fe3cb4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	9ad92144516618480fb1deeed0fe3cb4.exe
1464	9ad92144516618480fb1deeed0fe3cb4.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe
1164	chksrv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1464	9ad92144516618480fb1deeed0fe3cb4.exe
Token: SeDebugPrivilege	1164	chksrv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1164	1464	9ad92144516618480fb1deeed0fe3cb4.exe	85
PID 1464 wrote to memory of 1164	1464	9ad92144516618480fb1deeed0fe3cb4.exe	85
PID 1464 wrote to memory of 1164	1464	9ad92144516618480fb1deeed0fe3cb4.exe	85
PID 1464 wrote to memory of 2776	1464	9ad92144516618480fb1deeed0fe3cb4.exe	86
PID 1464 wrote to memory of 2776	1464	9ad92144516618480fb1deeed0fe3cb4.exe	86
PID 1464 wrote to memory of 2776	1464	9ad92144516618480fb1deeed0fe3cb4.exe	86

C:\Users\Admin\AppData\Local\Temp\9ad92144516618480fb1deeed0fe3cb4.exe
"C:\Users\Admin\AppData\Local\Temp\9ad92144516618480fb1deeed0fe3cb4.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- \??\c:\users\admin\appdata\local\chksrv.exe
  c:\users\admin\appdata\local\chksrv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AD921~1.EXE > nul
  2⤵
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\chksrv.exe

Filesize
8KB

MD5
9ad92144516618480fb1deeed0fe3cb4

SHA1
65bb4166fb3701804287c53d7b9d4238c38efcd6

SHA256
605b0c05b321ec9ef7c068d2c59bfda325eedc7e07ab149fcb28e7aa9712b13b

SHA512
47601933aa05de85581c00ed6429761e61e8d72a1e7fa5effc07c25c5da903e8e93b794d59e9cfc5b4b5d0cc54e36e94af8673ae3fe5e631e6d630e076ad7b0a

Download Submit