7eb4e41316b48a2a5369b208f3fef778c5c21473d0d4e3adc8fd0c987a30fe99

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 21:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2c3746fd746c89c71ee4b110b529aae.exe
Size

9KB
MD5

a2c3746fd746c89c71ee4b110b529aae
SHA1

28dcba64a4370f686aee3432d3dc98a0e7d163e6
SHA256

7eb4e41316b48a2a5369b208f3fef778c5c21473d0d4e3adc8fd0c987a30fe99
SHA512

f8905298bba32fc543df960090ae395892b987922193103266d8f2d3399b99af16f93804e2d7f3673b450e7913dcef018b140573ef94400247f95972bf8f9331
SSDEEP

192:lPULqR9uAMpun8j26F/clxTeu8qybNhF1zv9QWfKE1YbS/FeDrNLXw3gWw:JzR73n8PFczeu8qybNx+K1YbStenJXwY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	scvhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1840	WScript.exe
1840	WScript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ds.vbs	a2c3746fd746c89c71ee4b110b529aae.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	a2c3746fd746c89c71ee4b110b529aae.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	a2c3746fd746c89c71ee4b110b529aae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	a2c3746fd746c89c71ee4b110b529aae.exe
Token: SeIncBasePriorityPrivilege	2620	scvhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1840	2356	a2c3746fd746c89c71ee4b110b529aae.exe	28
PID 2356 wrote to memory of 1840	2356	a2c3746fd746c89c71ee4b110b529aae.exe	28
PID 2356 wrote to memory of 1840	2356	a2c3746fd746c89c71ee4b110b529aae.exe	28
PID 2356 wrote to memory of 1840	2356	a2c3746fd746c89c71ee4b110b529aae.exe	28
PID 2356 wrote to memory of 2780	2356	a2c3746fd746c89c71ee4b110b529aae.exe	29
PID 2356 wrote to memory of 2780	2356	a2c3746fd746c89c71ee4b110b529aae.exe	29
PID 2356 wrote to memory of 2780	2356	a2c3746fd746c89c71ee4b110b529aae.exe	29
PID 2356 wrote to memory of 2780	2356	a2c3746fd746c89c71ee4b110b529aae.exe	29
PID 1840 wrote to memory of 2620	1840	WScript.exe	30
PID 1840 wrote to memory of 2620	1840	WScript.exe	30
PID 1840 wrote to memory of 2620	1840	WScript.exe	30
PID 1840 wrote to memory of 2620	1840	WScript.exe	30
PID 2620 wrote to memory of 2792	2620	scvhost.exe	31
PID 2620 wrote to memory of 2792	2620	scvhost.exe	31
PID 2620 wrote to memory of 2792	2620	scvhost.exe	31
PID 2620 wrote to memory of 2792	2620	scvhost.exe	31

C:\Users\Admin\AppData\Local\Temp\a2c3746fd746c89c71ee4b110b529aae.exe
"C:\Users\Admin\AppData\Local\Temp\a2c3746fd746c89c71ee4b110b529aae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\ds.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\scvhost.exe
    "C:\Windows\system32\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\scvhost.exe > nul
      4⤵
      PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A2C374~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ds.vbs

Filesize
89B

MD5
cef04481aaf3ab3984e8b25acbce9929

SHA1
4c14961342812589da7ed0757177ac12ff58fe66

SHA256
55720b8e9599f53e675865bfed73e7469763d187c8955eb511b6b153dd09b9b0

SHA512
707efa1188cc72ffd71d19459010cb06afe77626026fde13a65af2095fd098895a041797127b173d8b8d9a35b3fee640be9647738e1afeba53ba53006deb696a

Download Submit
C:\Windows\SysWOW64\scvhost.exe

Filesize
9KB

MD5
a2c3746fd746c89c71ee4b110b529aae

SHA1
28dcba64a4370f686aee3432d3dc98a0e7d163e6

SHA256
7eb4e41316b48a2a5369b208f3fef778c5c21473d0d4e3adc8fd0c987a30fe99

SHA512
f8905298bba32fc543df960090ae395892b987922193103266d8f2d3399b99af16f93804e2d7f3673b450e7913dcef018b140573ef94400247f95972bf8f9331

Download Submit
memory/1840-11-0x0000000002E20000-0x0000000002E2B000-memory.dmp

Filesize
44KB

Download
memory/2356-0-0x0000000000400000-0x000000000040A403-memory.dmp

Filesize
41KB

Download
memory/2356-4-0x0000000000400000-0x000000000040A403-memory.dmp

Filesize
41KB

Download
memory/2620-13-0x0000000000400000-0x000000000040A403-memory.dmp

Filesize
41KB

Download
memory/2620-14-0x0000000000400000-0x000000000040A403-memory.dmp

Filesize
41KB

Download