c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe
Size

8.0MB
MD5

1182adc71410b5f21ee13f744bfd1d7f
SHA1

4ef4f5ba4abcd5e929dbc26e86a505d970363760
SHA256

c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7
SHA512

86de3479aba5f41305346cd9249159c5ff07a6a29e37d4d727799bd6d6cd588d9f2f6b47ee78df976aad332d85a7e5c776b312a114b87927e85f9c873734be3c
SSDEEP

49152:CzHj63m8hZHzDrb/T7vO90d7HjmAFd4A64nsfJfWtp9DDE/mJMgmYPy8q5lr+yXG:C0HkunDEgyJoDcEro9qYjEc874dxE5LZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3636	WindowsAutoUpdate2.exe
4520	WindowsAutoUpdate2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\EeiIIwheFynidra.data	WindowsAutoUpdate2.exe
File created	C:\Windows\System32\eIfRozVtjAICHmy.data	WindowsAutoUpdate2.exe
File created	C:\Windows\System32\kQeJhPJFVYOvChc.data	WindowsAutoUpdate2.exe
File created	C:\Windows\System32\ePUDhxMPOmYcvUo.data	WindowsAutoUpdate2.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3420 set thread context of 3604	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	87
PID 3636 set thread context of 4392	3636	WindowsAutoUpdate2.exe	100
PID 4520 set thread context of 2860	4520	WindowsAutoUpdate2.exe	102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	powershell.exe
5092	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	3604	jsc.exe
Token: SeDebugPrivilege	4392	jsc.exe
Token: SeDebugPrivilege	2860	jsc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3604	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	87
PID 3420 wrote to memory of 3604	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	87
PID 3420 wrote to memory of 3604	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	87
PID 3420 wrote to memory of 3604	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	87
PID 3420 wrote to memory of 3604	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	87
PID 3420 wrote to memory of 5092	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	88
PID 3420 wrote to memory of 5092	3420	c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe	88
PID 5092 wrote to memory of 4176	5092	powershell.exe	90
PID 5092 wrote to memory of 4176	5092	powershell.exe	90
PID 3636 wrote to memory of 4392	3636	WindowsAutoUpdate2.exe	100
PID 3636 wrote to memory of 4392	3636	WindowsAutoUpdate2.exe	100
PID 3636 wrote to memory of 4392	3636	WindowsAutoUpdate2.exe	100
PID 3636 wrote to memory of 4392	3636	WindowsAutoUpdate2.exe	100
PID 3636 wrote to memory of 4392	3636	WindowsAutoUpdate2.exe	100
PID 4520 wrote to memory of 2860	4520	WindowsAutoUpdate2.exe	102
PID 4520 wrote to memory of 2860	4520	WindowsAutoUpdate2.exe	102
PID 4520 wrote to memory of 2860	4520	WindowsAutoUpdate2.exe	102
PID 4520 wrote to memory of 2860	4520	WindowsAutoUpdate2.exe	102
PID 4520 wrote to memory of 2860	4520	WindowsAutoUpdate2.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe
"C:\Users\Admin\AppData\Local\Temp\c9224da21f842e0f3eefdde24bbe12c576ced858e37e4b03d8df23119c769ee7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN AutoUpdate2 /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN AutoUpdate2 /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
    3⤵
    - Creates scheduled task(s)
    PID:4176

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4392

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sr0nnriq.mys.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe

Filesize
5.2MB

MD5
5f4f353c88fdc9f6fb789a1051644384

SHA1
5cc39715e62c74c0812a9ccb0196232baa83cf7e

SHA256
43801c73832dd849d652b5609120a7168e9b51977b471a224305c9e24244b4aa

SHA512
362f9c67020d46dacb618d3e41c85e1d32613e95965e4327a444edbf5b5f9f9eb5cac5c794ddcdaab971a6301971eed1a5f59e7415eba59358f544e93f5df225

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe

Filesize
5.8MB

MD5
233f5145904377ed10fe48f49fcd2b11

SHA1
db10be14ea5e9fceea2c0e270f922bf484665419

SHA256
1c5966cc24b7dcda310c98bbc75d117f70586f523b4972e9355e23ac860b7051

SHA512
7ecd3b87eb263da81b5a78fd694af56bafeb9301472786c63bb23aa0b8d386f260a368ff037754fa24982a8c7c659b9ceb3eaceee59f6bc590b036d755a689b8

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate2.exe

Filesize
2.1MB

MD5
8a273189589bca3740a5981f0c448dc8

SHA1
d4dda858b4e0c6c03cf6907d93fc87034e103898

SHA256
c171d28c018baa50a2b082d0c6d54ad54ef4418d6c9183b86b3563044f87b651

SHA512
2eeefb8d01d90964a8e3ab11f2bb2d27cff48d26005fe67b0ad9384b8d58d4b00c59284230ff7be15a47e2134ebb796deedb0e8d02bd48df650ffb46d47cb58d

Download Submit
memory/2860-113-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-111-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-96-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-100-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2860-102-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-108-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-123-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2860-104-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-105-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-106-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-109-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-107-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-114-0x0000000000BC0000-0x0000000000CB2000-memory.dmp

Filesize
968KB

Download
memory/2860-103-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3420-7-0x00007FF6FDB30000-0x00007FF6FE337000-memory.dmp

Filesize
8.0MB

Download
memory/3420-0-0x00007FF6FDB30000-0x00007FF6FE337000-memory.dmp

Filesize
8.0MB

Download
memory/3420-43-0x00007FF6FDB30000-0x00007FF6FE337000-memory.dmp

Filesize
8.0MB

Download
memory/3604-9-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/3604-44-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-37-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-41-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-48-0x00000000064A0000-0x0000000006A44000-memory.dmp

Filesize
5.6MB

Download
memory/3604-49-0x0000000006A50000-0x0000000006AE2000-memory.dmp

Filesize
584KB

Download
memory/3604-51-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/3604-50-0x00000000077B0000-0x0000000007816000-memory.dmp

Filesize
408KB

Download
memory/3604-34-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-10-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-5-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-47-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-54-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/3604-45-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-26-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-32-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-31-0x0000000005B80000-0x0000000005B90000-memory.dmp

Filesize
64KB

Download
memory/3604-28-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-11-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-21-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-22-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3604-24-0x0000000001300000-0x00000000013F2000-memory.dmp

Filesize
968KB

Download
memory/3636-63-0x00007FF7DA5B0000-0x00007FF7DADB7000-memory.dmp

Filesize
8.0MB

Download
memory/3636-59-0x00007FF7DA5B0000-0x00007FF7DADB7000-memory.dmp

Filesize
8.0MB

Download
memory/4392-65-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4392-85-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-72-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-87-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-70-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-89-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4392-84-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-68-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-78-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-74-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-73-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-62-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-82-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-79-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-71-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-69-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4392-67-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4392-76-0x0000000000B80000-0x0000000000C72000-memory.dmp

Filesize
968KB

Download
memory/4520-97-0x00007FF7DA5B0000-0x00007FF7DADB7000-memory.dmp

Filesize
8.0MB

Download
memory/4520-91-0x00007FF7DA5B0000-0x00007FF7DADB7000-memory.dmp

Filesize
8.0MB

Download
memory/5092-39-0x00007FFFAAA40000-0x00007FFFAB501000-memory.dmp

Filesize
10.8MB

Download
memory/5092-29-0x000002903ACF0000-0x000002903AD00000-memory.dmp

Filesize
64KB

Download
memory/5092-27-0x000002903ACF0000-0x000002903AD00000-memory.dmp

Filesize
64KB

Download
memory/5092-25-0x00007FFFAAA40000-0x00007FFFAB501000-memory.dmp

Filesize
10.8MB

Download
memory/5092-23-0x000002903ACA0000-0x000002903ACC2000-memory.dmp

Filesize
136KB

Download