Resubmissions
12/04/2024, 15:05
240412-sgj26see2v 1012/04/2024, 15:05
240412-sggl2see2s 1012/04/2024, 15:05
240412-sgf1hsbe23 1012/04/2024, 15:05
240412-sgbqssbd99 1012/04/2024, 15:05
240412-sga49sbd98 1009/04/2024, 07:59
240409-jvg1asab26 1009/04/2024, 07:59
240409-jvgdrsdd5w 1009/04/2024, 07:59
240409-jvfr8sdd5v 1009/04/2024, 07:59
240409-jvfggadd5t 1019/01/2024, 20:24
240119-y6y6aadfb5 10Analysis
-
max time kernel
279s -
max time network
296s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
09/04/2024, 07:59
General
-
Target
tmp.exe
-
Size
5.9MB
-
MD5
bbe98cc2bf5ce0c0bb4fb74370e2af68
-
SHA1
6a363ce866e541105642c2b35e048998e2dfdfea
-
SHA256
20c0e8522d9e6fe9d45784826521416b657baeefd6c3dde33d7526a8dc7fff2b
-
SHA512
900b23e8095ff64fc7d8b5d169204733410734046d0be059e60fe88be32c09e578ac94bdb466f4eba8565d78685aec499cbbfcb1332f6d90626bbb999690b762
-
SSDEEP
98304:lIIuKCEdO96Xkmby531xv91EZJ9XARo00k3NPedyEhyeSDwlqGuLpnKriRkS8KRn:lTO96bby5jv91SFVkoyEhyeSuuLpyfjm
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 6 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System\dc.exe"C:\Windows\System\dc.exe" /D2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System\dc.exe"C:\Windows\System\dc.exe" /D3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\~tl1CA5.tmpC:\Users\Admin\AppData\Local\Temp\~tl1CA5.tmp3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD507232b64be72593980cd952e8f85017e
SHA161dba57cc51f4501ace3520e2cf559d8e42e04d7
SHA256ef342bcc3c938c2fa9b38bc84019d8dce94d018372f7d9c29a8ee7ff3f0fc3a8
SHA512d5417f270e14fe3437c0d017e037117001377379475531b70f9d6840548dd830117fbf62c152c9af09f586bdf944edac330bc560cca4fa45105269319e7158cb
-
Filesize
7KB
MD59e60fcf1d190832922044e3ba4d2703a
SHA12311305da6647897c5c4c1dc2866390c2cb84508
SHA256a2263f93cb05053f62ffc8a7102b17cb2a42dbcea78d648b30472c5f9a78df03
SHA512eaa000108624111025f34a9778f9b1fea0919536774630d589dd13c68f39f36c6e21f2b1318b10df951a223359a4960545645f5551afaddce8202fb9516190a4
-
Filesize
7KB
MD545a7c4e63d73b20500caee81461ce93c
SHA10b748f8073010bdddd6aa06ac8b68991ad4fcf5a
SHA256f87a56445aefa75ac98a890c0a16276c160a59f4f702c0d10e42f63bd935b7c4
SHA512eef5832573c822141c80c5c92563a7985faef6a43c0370eeb8bb5e7b780ccfa89643f8efd6362e49acd886048626f1e47fdc4852b498bbdd8b0b0b6eceb4c4f4
-
Filesize
7KB
MD504c2e6d5e05c7066a690f818792765d6
SHA1e0871d455493895a02a08608cb9767211791c8b5
SHA256631e5201b02d1523527729e067293ff07c70f48a78496718ea60c524225cd352
SHA51247abf9b2362a1ace40e9d391d77b8aa30219da7f37cfd4d619de12d32f1805ba86d959bfece914086622aab898a5c15c679196b5816e16ff31fb45a67780fa9c
-
Filesize
2.6MB
MD53af58b6add70a3559c53205e4aefd0f9
SHA15c1a95db8a1695b14b26cb5e8ae92fea5bd9da41
SHA256d9595b5e4bb49267b93c50334024de412c0e8a2831f2caa1102529292b9c2a7e
SHA51221b93f9444d559aa19fd36afd939120623187fd42cf43296447cfa8794d7a72773900405b37587def2e794b7e829d337aaf5b397a8882552875a89023f104f97
-
Filesize
10.6MB
MD5566cba964827e62189860aa64e1275e5
SHA1c3d488409b25026b5189a045310531d3a60b60ee
SHA256adb84132fa0056f1df28e7336fc6f7bcef6b5c777dda55fc35fbb2986aaabc27
SHA512a027883ebf07f9031e0d175f2466401c6f4e73c17b62c83a87a2de95254cefe7d8726bf24cc23e801269ab883aa0171b48f2f9699d18e38a9c4c4b4d2339480d
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
763KB
MD50a50081a6cd37aea0945c91de91c5d97
SHA1755309c6d9fa4cd13b6c867cde01cc1e0d415d00
SHA2566606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b
SHA512f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846
-
Filesize
5.9MB
MD5bbe98cc2bf5ce0c0bb4fb74370e2af68
SHA16a363ce866e541105642c2b35e048998e2dfdfea
SHA25620c0e8522d9e6fe9d45784826521416b657baeefd6c3dde33d7526a8dc7fff2b
SHA512900b23e8095ff64fc7d8b5d169204733410734046d0be059e60fe88be32c09e578ac94bdb466f4eba8565d78685aec499cbbfcb1332f6d90626bbb999690b762
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
512KB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
12KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
12KB
-
Filesize
512KB
-
Filesize
12KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
4.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
1.4MB