Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-03-2024 06:57
Behavioral task
behavioral1
Sample
c0233e634e6a0ecf4f4b9052cb6bf93f.exe
Resource
win7-20240215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
c0233e634e6a0ecf4f4b9052cb6bf93f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
c0233e634e6a0ecf4f4b9052cb6bf93f.exe
-
Size
49KB
-
MD5
c0233e634e6a0ecf4f4b9052cb6bf93f
-
SHA1
56c71bdb70b18f50f3831d3f259ccbe439a98a9a
-
SHA256
eb01c055aee9c10e70cb42894a7c994b4dbe75a549a1827561dd15a6b73ca42e
-
SHA512
4dba079502a950ad84f9b954462e4c35f7dc829dfd5c0225bacd91b522305532c044a7c57a0d481a2d84b8165b0540e7eea8b3e646ed1df3e65c1a430ec106df
-
SSDEEP
1536:U1BskISma8i/K7G/Tl/8+Xx5n942yWYeNzgk:UskLz/R8+qFW5ck
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msbumj.com" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msbumj.com" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}\StubPath = "C:\\Windows\\system32\\msnvrc.com" svchost.exe -
Deletes itself 1 IoCs
pid Process 2632 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3036 svchost.exe -
resource yara_rule behavioral1/memory/2012-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000b0000000144e0-5.dat upx behavioral1/memory/3036-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2012-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-42-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msnvrc.com svchost.exe File created C:\Windows\SysWOW64\msnvrc.com svchost.exe File created C:\Windows\SysWOW64\nvrc.blf svchost.exe File opened for modification C:\Windows\SysWOW64\nvrc.blf svchost.exe File opened for modification C:\Windows\SysWOW64\msnvrc.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe File created C:\Windows\SysWOW64\msnvrc.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\msagent\msbumj.com svchost.exe File opened for modification C:\Windows\svchost.exe c0233e634e6a0ecf4f4b9052cb6bf93f.exe File created C:\Windows\svchost.exe c0233e634e6a0ecf4f4b9052cb6bf93f.exe File opened for modification C:\Windows\msagent\msbumj.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe File created C:\Windows\msagent\msbumj.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe File opened for modification C:\Windows\svchost.exe svchost.exe File created C:\Windows\svchost.exe svchost.exe File opened for modification C:\Windows\msagent\msbumj.com svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c0233e634e6a0ecf4f4b9052cb6bf93f.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3036 svchost.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSecurityPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeTakeOwnershipPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeLoadDriverPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSystemProfilePrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSystemtimePrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeProfSingleProcessPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeIncBasePriorityPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeCreatePagefilePrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeBackupPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeRestorePrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeShutdownPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeDebugPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSystemEnvironmentPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeRemoteShutdownPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeUndockPrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeManageVolumePrivilege 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 33 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 34 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 35 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeIncreaseQuotaPrivilege 3036 svchost.exe Token: SeSecurityPrivilege 3036 svchost.exe Token: SeTakeOwnershipPrivilege 3036 svchost.exe Token: SeLoadDriverPrivilege 3036 svchost.exe Token: SeSystemProfilePrivilege 3036 svchost.exe Token: SeSystemtimePrivilege 3036 svchost.exe Token: SeProfSingleProcessPrivilege 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe Token: SeCreatePagefilePrivilege 3036 svchost.exe Token: SeBackupPrivilege 3036 svchost.exe Token: SeRestorePrivilege 3036 svchost.exe Token: SeShutdownPrivilege 3036 svchost.exe Token: SeDebugPrivilege 3036 svchost.exe Token: SeSystemEnvironmentPrivilege 3036 svchost.exe Token: SeRemoteShutdownPrivilege 3036 svchost.exe Token: SeUndockPrivilege 3036 svchost.exe Token: SeManageVolumePrivilege 3036 svchost.exe Token: 33 3036 svchost.exe Token: 34 3036 svchost.exe Token: 35 3036 svchost.exe Token: 33 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe Token: 33 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe Token: 33 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe Token: 33 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe Token: 33 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe Token: 33 3036 svchost.exe Token: SeIncBasePriorityPrivilege 3036 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2012 wrote to memory of 3036 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 28 PID 2012 wrote to memory of 3036 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 28 PID 2012 wrote to memory of 3036 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 28 PID 2012 wrote to memory of 3036 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 28 PID 2012 wrote to memory of 2632 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 29 PID 2012 wrote to memory of 2632 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 29 PID 2012 wrote to memory of 2632 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 29 PID 2012 wrote to memory of 2632 2012 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0233e634e6a0ecf4f4b9052cb6bf93f.exe"C:\Users\Admin\AppData\Local\Temp\c0233e634e6a0ecf4f4b9052cb6bf93f.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\#3#.bat2⤵
- Deletes itself
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5f7650d86abab95b6d3ca38c92b3a0719
SHA19b4579507e2df2b6c4b9eb57fd9b27bbab2a3960
SHA256c219a52ba86eee0e369742dd3f78ddc271e45d1604d644c124833da3bbdd0c2b
SHA512815362ddb7a976889e7b655c6a70eb0e4355d1e96cbd3409b054ac85715e9fe73a341ecf187d7047d62251feecf64529c151f7fb22e37c1f90ef7db6964d3117
-
Filesize
49KB
MD5c0233e634e6a0ecf4f4b9052cb6bf93f
SHA156c71bdb70b18f50f3831d3f259ccbe439a98a9a
SHA256eb01c055aee9c10e70cb42894a7c994b4dbe75a549a1827561dd15a6b73ca42e
SHA5124dba079502a950ad84f9b954462e4c35f7dc829dfd5c0225bacd91b522305532c044a7c57a0d481a2d84b8165b0540e7eea8b3e646ed1df3e65c1a430ec106df