233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe
Size

230KB
MD5

e1f647d2b2b580a23208dc5d000195d1
SHA1

1e99f048da89b9bcb01d55042a51289ba701f3e4
SHA256

233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55
SHA512

4a197002bcaa8398988e971267c6a762a15f00f2987885f0924b004962dc7b86c27394e6320f2da2af87f128701d89eb3407ae756f8d5aeba93683ea2ffcd965
SSDEEP

6144:E3nmNR9kb/qhP/ZQdg68zTCkT0rG+ZXPbU9:EWNgbymg68zTTeG+2

Score

7^/10

evasion trojan

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	spoolsv.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	WScript.exe
2072	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	spoolsv.exe
Token: SeDebugPrivilege	3020	spoolsv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2168	233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe
2168	233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe
3020	spoolsv.exe
3020	spoolsv.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2072	2168	233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe	28
PID 2168 wrote to memory of 2072	2168	233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe	28
PID 2168 wrote to memory of 2072	2168	233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe	28
PID 2168 wrote to memory of 2072	2168	233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe	28
PID 2072 wrote to memory of 3020	2072	WScript.exe	29
PID 2072 wrote to memory of 3020	2072	WScript.exe	29
PID 2072 wrote to memory of 3020	2072	WScript.exe	29
PID 2072 wrote to memory of 3020	2072	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe
"C:\Users\Admin\AppData\Local\Temp\233b039e7b03d81301f55db1903cf44e818d3373cb1e5626da9dc6e5e73f1a55.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_tempS.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_tempS.vbs

Filesize
100B

MD5
71d96bbf333667d25cca125690ae5785

SHA1
5e4c9fcc278341ac89e3f4cd41e15a9c40604545

SHA256
71ca8ba0d315a2f23b771369047db15057ab3257b9e3b2c1287455e27b5e1ff5

SHA512
bd6287afa6f67e7a028f84b00d14cbe5119519d2e54d873dedfb87a355ac05bdb9f5b8e6553469b8522f9dfd6dc024d05bc9da118ea49b94b0bdf19962d8965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsv.exe

Filesize
231KB

MD5
e058ee294449ee1d4445ca4533224b27

SHA1
c8e3c69c359123039b74713cd8060f32b4879bcc

SHA256
994bc58824dd13edbab38a2492ef84e845c236f929d424b113bb65ced2ed9be8

SHA512
bfa135adbba36d86098b05ebd4865e3284359b75557d795e779be0c0c304e8369c2ecf47e35e6dc53ca31cf78a76002148362e15461c7de9e830c710020ca5a7

Download Submit