1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

max time kernel
184s
max time network
305s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/04/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

5.3MB
MD5

5fe4ea367cee11e92ad4644d8ac3cef7
SHA1

44faea4a352b7860a9eafca82bd3c9b054b6db29
SHA256

1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b
SHA512

1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f
SSDEEP

98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	tmp.exe
2756	tmp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2636	powershell.exe
1816	powershell.exe
2756	tmp.exe
3004	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1816	2756	tmp.exe	32
PID 2756 wrote to memory of 1816	2756	tmp.exe	32
PID 2756 wrote to memory of 1816	2756	tmp.exe	32
PID 2756 wrote to memory of 2636	2756	tmp.exe	34
PID 2756 wrote to memory of 2636	2756	tmp.exe	34
PID 2756 wrote to memory of 2636	2756	tmp.exe	34
PID 2756 wrote to memory of 268	2756	tmp.exe	36
PID 2756 wrote to memory of 268	2756	tmp.exe	36
PID 2756 wrote to memory of 268	2756	tmp.exe	36
PID 2756 wrote to memory of 2376	2756	tmp.exe	38
PID 2756 wrote to memory of 2376	2756	tmp.exe	38
PID 2756 wrote to memory of 2376	2756	tmp.exe	38
PID 2376 wrote to memory of 3004	2376	svchost.exe	40
PID 2376 wrote to memory of 3004	2376	svchost.exe	40
PID 2376 wrote to memory of 3004	2376	svchost.exe	40
PID 2376 wrote to memory of 2276	2376	svchost.exe	42
PID 2376 wrote to memory of 2276	2376	svchost.exe	42
PID 2376 wrote to memory of 2276	2376	svchost.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:268
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3bc1e5acc9b27dc3fe043a489640fe34

SHA1
efc4ba614843b9377706f68327afaa6b5e5269da

SHA256
be549d7892c5041b99087c611b1c753335b97c51e2ff71aa264ed28c2d3c7662

SHA512
eaf0a5a727e1f8d2c5f3e3e23ac9982fd49070ec788c0b216460b8549ed2a460526da095497e39624795fceb229e69c2cc03b41f5c5eabea1af963ad0486b8ec

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
dfa55fd7926aaa64e863aef6e728410e

SHA1
b74f5e363e6aa070d85ef986d9905f1f5435f200

SHA256
04415cf26f3bdcc2c7aede2881ec215acae7696e001b19b18c8f0afd9800bcab

SHA512
abbf86bcc8eb0c169c2e278bc6f694ac80a69b32fd99aaf1fc2a6669414694322e08a8371b1c39dd25d777535e075ad3a1aed47c9dbc3ca3e05b643153e35313

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.8MB

MD5
11a4606847836f308a3687593372ac99

SHA1
76020dc92239b1b8409cab5a45261da51b77eadf

SHA256
b4dcdf73815d28ce0f9ca02012b14e1cfc48435f8ffc5d7589da81853cdc5957

SHA512
49c2a0f36b4b61bd5e34601f95879f1e52ead0c2496842e050766e9a0c271c843b0e6c8e5e61f12c02bba06cad5da0419020ad6ade6267c172334efa788738ba

Download Submit
C:\Windows\system\svchost.exe

Filesize
5.3MB

MD5
5fe4ea367cee11e92ad4644d8ac3cef7

SHA1
44faea4a352b7860a9eafca82bd3c9b054b6db29

SHA256
1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

SHA512
1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

Download Submit
memory/1816-27-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-25-0x000000000290B000-0x0000000002972000-memory.dmp

Filesize
412KB

Download
memory/1816-24-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1816-14-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1816-16-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-17-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1816-18-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-61-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-59-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-62-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2276-60-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2276-63-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2276-68-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-54-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2276-66-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2376-43-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2376-42-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2376-69-0x000000001ED20000-0x000000001F21C000-memory.dmp

Filesize
5.0MB

Download
memory/2636-20-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2636-28-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-22-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2636-23-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2636-26-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2636-21-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-19-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-15-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/2756-0-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2756-39-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2756-4-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2756-2-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2756-3-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/2756-1-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/3004-57-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/3004-64-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/3004-58-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-55-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/3004-56-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/3004-65-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/3004-67-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download