Overview

overview

8

Static

static

3

test.exe

windows7-x64

test.exe

windows10-2004-x64

Analysis

  • max time kernel
    102s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2024, 18:13

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    5.3MB

  • MD5

    b59631e064541c8651576128708e50f9

  • SHA1

    7aae996d4990f37a48288fa5f15a7889c3ff49b3

  • SHA256

    4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002

  • SHA512

    571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92

  • SSDEEP

    98304:69w8PMOW9ZI6aO7sd/mzt5mAiN1vw+/YR8ov/bkMJmJZNOnTdjyip:ndIV0G/mzsN1vl/YRV4MY9OnTdjy

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:596
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe -Embedding
            3⤵
              PID:1480
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k RPCSS
            2⤵
              PID:676
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
              2⤵
                PID:760
            • C:\Windows\system32\lsass.exe
              C:\Windows\system32\lsass.exe
              1⤵
                PID:480
              • C:\Windows\system32\lsm.exe
                C:\Windows\system32\lsm.exe
                1⤵
                  PID:488
                • C:\Users\Admin\AppData\Local\Temp\test.exe
                  "C:\Users\Admin\AppData\Local\Temp\test.exe"
                  1⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:2748
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2204
                  • C:\Users\Admin\AppData\Roaming\Miner.exe
                    "C:\Users\Admin\AppData\Roaming\Miner.exe"
                    2⤵
                    • Drops file in Drivers directory
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:2500
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2352
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2240
                      • C:\Windows\system32\wusa.exe
                        wusa /uninstall /kb:890830 /quiet /norestart
                        4⤵
                        • Drops file in Windows directory
                        PID:2644
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop UsoSvc
                      3⤵
                      • Launches sc.exe
                      PID:2288
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop WaaSMedicSvc
                      3⤵
                      • Launches sc.exe
                      PID:2720
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop wuauserv
                      3⤵
                      • Launches sc.exe
                      PID:2696
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop bits
                      3⤵
                      • Launches sc.exe
                      PID:2640
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop dosvc
                      3⤵
                      • Launches sc.exe
                      PID:1916
                    • C:\Windows\system32\dialer.exe
                      C:\Windows\system32\dialer.exe
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1400
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe delete "RYVSUJUA"
                      3⤵
                      • Launches sc.exe
                      PID:2664
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
                      3⤵
                      • Launches sc.exe
                      PID:824
                  • C:\Users\Admin\AppData\Roaming\Shortcutter.exe
                    "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:3008
                • C:\Windows\system32\Dwm.exe
                  "C:\Windows\system32\Dwm.exe"
                  1⤵
                    PID:1964
                  • C:\Windows\system32\csrss.exe
                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                    1⤵
                    • Enumerates system info in registry
                    • Suspicious use of WriteProcessMemory
                    PID:2280
                  • C:\Windows\system32\winlogon.exe
                    winlogon.exe
                    1⤵
                    • Modifies data under HKEY_USERS
                    • Suspicious use of WriteProcessMemory
                    PID:1792
                    • C:\Windows\system32\LogonUI.exe
                      "LogonUI.exe" /flags:0x0
                      2⤵
                        PID:896

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WC06LWWVERJX0JE86YV.temp
                      Filesize

                      7KB

                      MD5

                      cc075c3b41ccae02d3846a76a1a6f173

                      SHA1

                      42fbbf8912ab59778a3dbd34d355cb81949f7835

                      SHA256

                      b770ca0af322179669ce07b8e14dfbeb4cd370ea55e90a57a9fe34a1bc5cb3c6

                      SHA512

                      d48fc13d207a2376244bd7cc97c81303deddd7897719599ff17cb46840353912951a43a84cdfd8cdbc65ce7d142f522405cdf2e058ec03c6b4792f92adf41167

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Miner.exe
                      Filesize

                      1.3MB

                      MD5

                      85baa1e562a1d0d883c87737a8390ae7

                      SHA1

                      7ca33844e3855a2b4fb616e03a70dd3b886f1fd6

                      SHA256

                      7c303c6f3562701117733a12bb209d390c3fdb7c8d4650034abb52e08c731bb3

                      SHA512

                      7850df0c147369d8b191796257e3e99700c337bd3377a289a5eebf61335aa72b57a29ef1434501fe508a7358c63f116ac26ca0d95b94ba3ab908fe826a13e472

                      Download Submit

                    • \Users\Admin\AppData\Roaming\Miner.exe
                      Filesize

                      5.1MB

                      MD5

                      825fea115a2fa7a09a46ed2e7f05bed8

                      SHA1

                      92bf63767d2f6bb70c0e07e209c20c72d8958aaa

                      SHA256

                      369ffcc8bc93d19341beaef43a75f164108172a1c836e279d08eb8f084fa87ef

                      SHA512

                      3221a052683a0be4ed7fcaf6d4db05b117017baa5a9edb75682307e05ba73fd964032260e070a3aae834012f6675bd2a6fff42971fd3e1e5b23196ae4ffa8578

                      Download Submit

                    • \Users\Admin\AppData\Roaming\Miner.exe
                      Filesize

                      5.3MB

                      MD5

                      99201be105bf0a4b25d9c5113da723fb

                      SHA1

                      443e6e285063f67cb46676b3951733592d569a7c

                      SHA256

                      e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2

                      SHA512

                      b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808

                      Download Submit

                    • \Users\Admin\AppData\Roaming\Shortcutter.exe
                      Filesize

                      50KB

                      MD5

                      4ce8fc5016e97f84dadaf983cca845f2

                      SHA1

                      0d6fb5a16442cf393d5658a9f40d2501d8fd725c

                      SHA256

                      f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

                      SHA512

                      4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

                      Download Submit

                    • memory/420-54-0x0000000000300000-0x000000000032B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/420-52-0x0000000000300000-0x000000000032B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/420-51-0x00000000002D0000-0x00000000002F4000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/420-50-0x00000000002D0000-0x00000000002F4000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/420-53-0x000007FEBD6B0000-0x000007FEBD6C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/464-64-0x00000000772C1000-0x00000000772C2000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/464-61-0x00000000002D0000-0x00000000002FB000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/464-60-0x00000000002D0000-0x00000000002FB000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/480-73-0x000007FEBD6B0000-0x000007FEBD6C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/480-71-0x00000000009F0000-0x0000000000A1B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/480-75-0x00000000772C1000-0x00000000772C2000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/480-76-0x00000000372B0000-0x00000000372C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/480-108-0x00000000009F0000-0x0000000000A1B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/488-72-0x000007FEBD6B0000-0x000007FEBD6C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/488-69-0x0000000000470000-0x000000000049B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/488-77-0x00000000372B0000-0x00000000372C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/488-109-0x0000000000470000-0x000000000049B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/596-84-0x000007FEBD6B0000-0x000007FEBD6C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/596-83-0x00000000004C0000-0x00000000004EB000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/596-85-0x00000000372B0000-0x00000000372C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/596-110-0x00000000004C0000-0x00000000004EB000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/676-92-0x000007FEBD6B0000-0x000007FEBD6C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/676-90-0x0000000000420000-0x000000000044B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/676-95-0x00000000372B0000-0x00000000372C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/676-111-0x0000000000420000-0x000000000044B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/760-99-0x0000000000A40000-0x0000000000A6B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/760-102-0x000007FEBD6B0000-0x000007FEBD6C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/760-105-0x00000000372B0000-0x00000000372C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/760-112-0x0000000000A40000-0x0000000000A6B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/896-107-0x00000000026B0000-0x00000000026B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1400-46-0x0000000077270000-0x0000000077419000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/1400-38-0x0000000140000000-0x000000014002B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/1400-39-0x0000000140000000-0x000000014002B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/1400-103-0x0000000077270000-0x0000000077419000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/1400-47-0x0000000140000000-0x000000014002B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/1400-44-0x0000000077270000-0x0000000077419000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/1400-45-0x0000000077150000-0x000000007726F000-memory.dmp

                      Filesize

                      1.1MB

                      Download

                    • memory/1400-43-0x0000000140000000-0x000000014002B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/1400-41-0x0000000140000000-0x000000014002B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/1400-40-0x0000000140000000-0x000000014002B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/2204-21-0x00000000023B0000-0x00000000023F0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/2204-20-0x0000000073C90000-0x000000007423B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2204-18-0x00000000023B0000-0x00000000023F0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/2204-19-0x0000000073C90000-0x000000007423B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2204-23-0x0000000073C90000-0x000000007423B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2352-34-0x0000000002780000-0x0000000002800000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/2352-35-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/2352-28-0x000000001B340000-0x000000001B622000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2352-29-0x0000000002460000-0x0000000002468000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2352-30-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/2352-31-0x0000000002780000-0x0000000002800000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/2352-32-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/2352-33-0x0000000002780000-0x0000000002800000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3008-22-0x000000001AF30000-0x000000001AFB0000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3008-16-0x0000000000880000-0x0000000000892000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3008-17-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/3008-93-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/3008-36-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                      Filesize

                      9.9MB

                      Download