Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 06:57
Behavioral task
behavioral1
Sample
c0233e634e6a0ecf4f4b9052cb6bf93f.exe
Resource
win7-20240215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
c0233e634e6a0ecf4f4b9052cb6bf93f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
c0233e634e6a0ecf4f4b9052cb6bf93f.exe
-
Size
49KB
-
MD5
c0233e634e6a0ecf4f4b9052cb6bf93f
-
SHA1
56c71bdb70b18f50f3831d3f259ccbe439a98a9a
-
SHA256
eb01c055aee9c10e70cb42894a7c994b4dbe75a549a1827561dd15a6b73ca42e
-
SHA512
4dba079502a950ad84f9b954462e4c35f7dc829dfd5c0225bacd91b522305532c044a7c57a0d481a2d84b8165b0540e7eea8b3e646ed1df3e65c1a430ec106df
-
SSDEEP
1536:U1BskISma8i/K7G/Tl/8+Xx5n942yWYeNzgk:UskLz/R8+qFW5ck
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msbumj.com" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msbumj.com" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}\StubPath = "C:\\Windows\\system32\\msnvrc.com" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1552 svchost.exe -
resource yara_rule behavioral2/memory/1688-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00090000000224e9-5.dat upx behavioral2/memory/1688-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-36-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\msnvrc.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe File opened for modification C:\Windows\SysWOW64\msnvrc.com svchost.exe File created C:\Windows\SysWOW64\nvrc.blf svchost.exe File opened for modification C:\Windows\SysWOW64\nvrc.blf svchost.exe File opened for modification C:\Windows\SysWOW64\msnvrc.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\msagent\msbumj.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe File opened for modification C:\Windows\svchost.exe svchost.exe File created C:\Windows\svchost.exe svchost.exe File opened for modification C:\Windows\msagent\msbumj.com svchost.exe File created C:\Windows\msagent\msbumj.com svchost.exe File opened for modification C:\Windows\svchost.exe c0233e634e6a0ecf4f4b9052cb6bf93f.exe File created C:\Windows\svchost.exe c0233e634e6a0ecf4f4b9052cb6bf93f.exe File opened for modification C:\Windows\msagent\msbumj.com c0233e634e6a0ecf4f4b9052cb6bf93f.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c0233e634e6a0ecf4f4b9052cb6bf93f.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1552 svchost.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSecurityPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeTakeOwnershipPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeLoadDriverPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSystemProfilePrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSystemtimePrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeProfSingleProcessPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeIncBasePriorityPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeCreatePagefilePrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeBackupPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeRestorePrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeShutdownPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeDebugPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeSystemEnvironmentPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeRemoteShutdownPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeUndockPrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeManageVolumePrivilege 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 33 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 34 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 35 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: 36 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe Token: SeIncreaseQuotaPrivilege 1552 svchost.exe Token: SeSecurityPrivilege 1552 svchost.exe Token: SeTakeOwnershipPrivilege 1552 svchost.exe Token: SeLoadDriverPrivilege 1552 svchost.exe Token: SeSystemProfilePrivilege 1552 svchost.exe Token: SeSystemtimePrivilege 1552 svchost.exe Token: SeProfSingleProcessPrivilege 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe Token: SeCreatePagefilePrivilege 1552 svchost.exe Token: SeBackupPrivilege 1552 svchost.exe Token: SeRestorePrivilege 1552 svchost.exe Token: SeShutdownPrivilege 1552 svchost.exe Token: SeDebugPrivilege 1552 svchost.exe Token: SeSystemEnvironmentPrivilege 1552 svchost.exe Token: SeRemoteShutdownPrivilege 1552 svchost.exe Token: SeUndockPrivilege 1552 svchost.exe Token: SeManageVolumePrivilege 1552 svchost.exe Token: 33 1552 svchost.exe Token: 34 1552 svchost.exe Token: 35 1552 svchost.exe Token: 36 1552 svchost.exe Token: 33 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe Token: 33 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe Token: 33 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe Token: 33 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe Token: 33 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe Token: 33 1552 svchost.exe Token: SeIncBasePriorityPrivilege 1552 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1552 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 89 PID 1688 wrote to memory of 1552 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 89 PID 1688 wrote to memory of 1552 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 89 PID 1688 wrote to memory of 4940 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 90 PID 1688 wrote to memory of 4940 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 90 PID 1688 wrote to memory of 4940 1688 c0233e634e6a0ecf4f4b9052cb6bf93f.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0233e634e6a0ecf4f4b9052cb6bf93f.exe"C:\Users\Admin\AppData\Local\Temp\c0233e634e6a0ecf4f4b9052cb6bf93f.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\#3#.bat2⤵PID:4940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5f7650d86abab95b6d3ca38c92b3a0719
SHA19b4579507e2df2b6c4b9eb57fd9b27bbab2a3960
SHA256c219a52ba86eee0e369742dd3f78ddc271e45d1604d644c124833da3bbdd0c2b
SHA512815362ddb7a976889e7b655c6a70eb0e4355d1e96cbd3409b054ac85715e9fe73a341ecf187d7047d62251feecf64529c151f7fb22e37c1f90ef7db6964d3117
-
Filesize
49KB
MD5c0233e634e6a0ecf4f4b9052cb6bf93f
SHA156c71bdb70b18f50f3831d3f259ccbe439a98a9a
SHA256eb01c055aee9c10e70cb42894a7c994b4dbe75a549a1827561dd15a6b73ca42e
SHA5124dba079502a950ad84f9b954462e4c35f7dc829dfd5c0225bacd91b522305532c044a7c57a0d481a2d84b8165b0540e7eea8b3e646ed1df3e65c1a430ec106df