c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 17:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe
Size

8.0MB
MD5

1182adc71410b5f21ee13f744bfd1d7f
SHA1

4ef4f5ba4abcd5e929dbc26e86a505d970363760
SHA256

c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7
SHA512

86de3479aba5f41305346cd9249159c5ff07a6a29e37d4d727799bd6d6cd588d9f2f6b47ee78df976aad332d85a7e5c776b312a114b87927e85f9c873734be3c
SSDEEP

49152:CzHj63m8hZHzDrb/T7vO90d7HjmAFd4A64nsfJfWtp9DDE/mJMgmYPy8q5lr+yXG:C0HkunDEgyJoDcEro9qYjEc874dxE5LZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
320	WindowsAutoUpdate2.exe
1196	WindowsAutoUpdate2.exe

Loads dropped DLL 1 IoCs

pid	Process
676	taskeng.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\OGHaTrjtXuaSokL.data	WindowsAutoUpdate2.exe
File created	C:\Windows\System32\nRcIXraBViSxJTo.data	WindowsAutoUpdate2.exe
File created	C:\Windows\System32\PDPHompbfWyXNHq.data	WindowsAutoUpdate2.exe
File created	C:\Windows\System32\nuRyPvKVToMBNij.data	WindowsAutoUpdate2.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 320 set thread context of 2164	320	WindowsAutoUpdate2.exe	34
PID 1196 set thread context of 1160	1196	WindowsAutoUpdate2.exe	38

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2604	jsc.exe
Token: SeDebugPrivilege	2164	jsc.exe
Token: SeDebugPrivilege	1160	jsc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 1756 wrote to memory of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 1756 wrote to memory of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 1756 wrote to memory of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 1756 wrote to memory of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 1756 wrote to memory of 2604	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	28
PID 1756 wrote to memory of 2668	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	29
PID 1756 wrote to memory of 2668	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	29
PID 1756 wrote to memory of 2668	1756	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	29
PID 2668 wrote to memory of 2636	2668	powershell.exe	31
PID 2668 wrote to memory of 2636	2668	powershell.exe	31
PID 2668 wrote to memory of 2636	2668	powershell.exe	31
PID 676 wrote to memory of 320	676	taskeng.exe	33
PID 676 wrote to memory of 320	676	taskeng.exe	33
PID 676 wrote to memory of 320	676	taskeng.exe	33
PID 320 wrote to memory of 2164	320	WindowsAutoUpdate2.exe	34
PID 320 wrote to memory of 2164	320	WindowsAutoUpdate2.exe	34
PID 320 wrote to memory of 2164	320	WindowsAutoUpdate2.exe	34
PID 320 wrote to memory of 2164	320	WindowsAutoUpdate2.exe	34
PID 320 wrote to memory of 2164	320	WindowsAutoUpdate2.exe	34
PID 320 wrote to memory of 2164	320	WindowsAutoUpdate2.exe	34
PID 676 wrote to memory of 1196	676	taskeng.exe	37
PID 676 wrote to memory of 1196	676	taskeng.exe	37
PID 676 wrote to memory of 1196	676	taskeng.exe	37
PID 1196 wrote to memory of 1160	1196	WindowsAutoUpdate2.exe	38
PID 1196 wrote to memory of 1160	1196	WindowsAutoUpdate2.exe	38
PID 1196 wrote to memory of 1160	1196	WindowsAutoUpdate2.exe	38
PID 1196 wrote to memory of 1160	1196	WindowsAutoUpdate2.exe	38
PID 1196 wrote to memory of 1160	1196	WindowsAutoUpdate2.exe	38
PID 1196 wrote to memory of 1160	1196	WindowsAutoUpdate2.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe
"C:\Users\Admin\AppData\Local\Temp\c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN AutoUpdate2 /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN AutoUpdate2 /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
    3⤵
    - Creates scheduled task(s)
    PID:2636

C:\Windows\system32\taskeng.exe
taskeng.exe {582FCCEE-E8F0-4A74-BFF9-C42F9D2990D9} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
  C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
  C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe

Filesize
2.0MB

MD5
c33ba186c9f6e5a4f45287fe818fd060

SHA1
984375ef20c0e8536ed2045a1991058e6f9da654

SHA256
de0efd3522994074d81cbfa7c49808c141b46b50f9298df08604e6e9ccc5b242

SHA512
32cc73971967fc6e9194ba0545a50e067a965684328e722cb471921c87cebf3116615b74c551178b13f17268d843e34f87da11def5be39cce194aedb3b235ba3

Download Submit
\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe

Filesize
8.0MB

MD5
1182adc71410b5f21ee13f744bfd1d7f

SHA1
4ef4f5ba4abcd5e929dbc26e86a505d970363760

SHA256
c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7

SHA512
86de3479aba5f41305346cd9249159c5ff07a6a29e37d4d727799bd6d6cd588d9f2f6b47ee78df976aad332d85a7e5c776b312a114b87927e85f9c873734be3c

Download Submit
memory/320-57-0x000000013F610000-0x000000013FE17000-memory.dmp

Filesize
8.0MB

Download
memory/320-62-0x000000013F610000-0x000000013FE17000-memory.dmp

Filesize
8.0MB

Download
memory/320-66-0x000000013F610000-0x000000013FE17000-memory.dmp

Filesize
8.0MB

Download
memory/676-56-0x000000013F610000-0x000000013FE17000-memory.dmp

Filesize
8.0MB

Download
memory/1160-117-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/1160-115-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1160-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1160-106-0x00000000000F0000-0x00000000001E2000-memory.dmp

Filesize
968KB

Download
memory/1160-116-0x00000000000F0000-0x00000000001E2000-memory.dmp

Filesize
968KB

Download
memory/1160-139-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1160-140-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1160-141-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1196-114-0x000000013FEF0000-0x00000001406F7000-memory.dmp

Filesize
8.0MB

Download
memory/1196-99-0x000000013FEF0000-0x00000001406F7000-memory.dmp

Filesize
8.0MB

Download
memory/1756-13-0x000000013F2E0000-0x000000013FAE7000-memory.dmp

Filesize
8.0MB

Download
memory/1756-0-0x000000013F2E0000-0x000000013FAE7000-memory.dmp

Filesize
8.0MB

Download
memory/1756-50-0x000000013F2E0000-0x000000013FAE7000-memory.dmp

Filesize
8.0MB

Download
memory/2164-84-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-93-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-96-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-95-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-94-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-90-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-91-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-88-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-85-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-82-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-78-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-80-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-79-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-73-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/2164-77-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-76-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-75-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-74-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-71-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-70-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-64-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2164-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-68-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/2604-21-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-24-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-29-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-32-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-31-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-52-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-51-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-35-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-5-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-48-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-6-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-23-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-46-0x0000000001030000-0x0000000001070000-memory.dmp

Filesize
256KB

Download
memory/2604-27-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-37-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-49-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-12-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-41-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-40-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-38-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-22-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-10-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-25-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2604-26-0x0000000000150000-0x0000000000242000-memory.dmp

Filesize
968KB

Download
memory/2668-19-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2668-18-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-45-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-44-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2668-42-0x0000000002C94000-0x0000000002C97000-memory.dmp

Filesize
12KB

Download
memory/2668-47-0x0000000002C9B000-0x0000000002D02000-memory.dmp

Filesize
412KB

Download
memory/2668-43-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download