a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
278s
max time network
306s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1976 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

tmp.exe

pid process

2300 tmp.exe
2300 tmp.exe

pid	process
1976	svchost.exe

pid	process
2300	tmp.exe
2300	tmp.exe

Drops file in Windows directory 4 IoCs

Processes:

tmp.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1620 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe

pid process

2356 powershell.exe
2796 powershell.exe
2300 tmp.exe
860 powershell.exe
1472 powershell.exe

pid	process
1620	schtasks.exe

pid	process
2356	powershell.exe
2796	powershell.exe
2300	tmp.exe
860	powershell.exe
1472	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

tmp.exesvchost.exe

description	pid	process	target process
PID 2300 wrote to memory of 2356	2300	tmp.exe	powershell.exe
PID 2300 wrote to memory of 2356	2300	tmp.exe	powershell.exe
PID 2300 wrote to memory of 2356	2300	tmp.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	tmp.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	tmp.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	tmp.exe	powershell.exe
PID 2300 wrote to memory of 2836	2300	tmp.exe	schtasks.exe
PID 2300 wrote to memory of 2836	2300	tmp.exe	schtasks.exe
PID 2300 wrote to memory of 2836	2300	tmp.exe	schtasks.exe
PID 2300 wrote to memory of 1620	2300	tmp.exe	schtasks.exe
PID 2300 wrote to memory of 1620	2300	tmp.exe	schtasks.exe
PID 2300 wrote to memory of 1620	2300	tmp.exe	schtasks.exe
PID 2300 wrote to memory of 1976	2300	tmp.exe	svchost.exe
PID 2300 wrote to memory of 1976	2300	tmp.exe	svchost.exe
PID 2300 wrote to memory of 1976	2300	tmp.exe	svchost.exe
PID 1976 wrote to memory of 860	1976	svchost.exe	powershell.exe
PID 1976 wrote to memory of 860	1976	svchost.exe	powershell.exe
PID 1976 wrote to memory of 860	1976	svchost.exe	powershell.exe
PID 1976 wrote to memory of 1472	1976	svchost.exe	powershell.exe
PID 1976 wrote to memory of 1472	1976	svchost.exe	powershell.exe
PID 1976 wrote to memory of 1472	1976	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2836

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eadbf0fdc1a80be7c16622a9ee22128

SHA1
f8f299c023602628048e4b3e56970362576ed873

SHA256
a48a4f48bdfd1b84f50e8a16f5c22a95675e200c931dfa3f4109f664a2cd747c

SHA512
974d073d197703c4296a43fd2fca9e5daccda6b5d0afffa5376771ec4b71030c1bfa3f56bb6fbfe7b6496c76c464498b62f8460b86d98583dc344850fb6738a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar591F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4233e6cb702e4c9c0a0de0cef873d7de

SHA1
db8f7ceac58d7e59dd2db169fa153dfdd618dc1a

SHA256
d1b5bc3f35b3513fe48f8724d8c8436d1e593fef3d5419e68807f86f9ccdd54a

SHA512
1aec1e73ba4f7dc4e592c33f8433b4c859794134859ea6a7b55d8ba5731687785063c422238987e80b9b1c5a6f794f583d52a38db3be10af451662ce633168d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O9PYQOOUYN3XDSRWXTJB.temp

Filesize
7KB

MD5
9264a29efb92abff161a6ce65433de6e

SHA1
3825c377ed244f994c6fe1245ba893caa60a661d

SHA256
31166930e4a99e3f6837cc95ad2753d381bc5ad01cb9ecdad8c5885d2ec676d6

SHA512
c6a7f3578be3bb06bbd562a8270aa6b5ff30b28b7124b8b79b38063ecaf1d8f689880558cda864521a06bcfad9762c93f2b818c641177b76bd85b822c1104c3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
memory/860-55-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/860-57-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/860-58-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/860-59-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/860-56-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/860-54-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/860-60-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/1472-71-0x000000000276B000-0x00000000027D2000-memory.dmp

Filesize
412KB

Download
memory/1472-67-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

Filesize
9.6MB

Download
memory/1472-68-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1472-69-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1472-70-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1472-72-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

Filesize
9.6MB

Download
memory/1472-73-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

Filesize
9.6MB

Download
memory/1976-43-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1976-45-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1976-48-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1976-74-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/2300-11-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2300-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2300-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2300-46-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2300-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2300-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2300-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2356-12-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2356-13-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-18-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-17-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2356-15-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-16-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2356-14-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2356-10-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2796-31-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-26-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-24-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-25-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2796-27-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2796-28-0x000007FEF4DF0000-0x000007FEF578D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-29-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2796-30-0x000000000247B000-0x00000000024E2000-memory.dmp

Filesize
412KB

Download