a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.4MB
MD5

db3edf03a8a2c8e96fe2d2deaaec76ff
SHA1

2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256

a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512

121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
SSDEEP

98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1552 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

tmp.exe

pid process

2732 tmp.exe
2732 tmp.exe

pid	process
1552	svchost.exe

pid	process
2732	tmp.exe
2732	tmp.exe

Drops file in Windows directory 4 IoCs

Processes:

tmp.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1588 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.exepowershell.exe

pid process

2448 powershell.exe
2452 powershell.exe
2732 tmp.exe
1156 powershell.exe
584 powershell.exe

pid	process
1588	schtasks.exe

pid	process
2448	powershell.exe
2452	powershell.exe
2732	tmp.exe
1156	powershell.exe
584	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

tmp.exesvchost.exe

description	pid	process	target process
PID 2732 wrote to memory of 2448	2732	tmp.exe	powershell.exe
PID 2732 wrote to memory of 2448	2732	tmp.exe	powershell.exe
PID 2732 wrote to memory of 2448	2732	tmp.exe	powershell.exe
PID 2732 wrote to memory of 2452	2732	tmp.exe	powershell.exe
PID 2732 wrote to memory of 2452	2732	tmp.exe	powershell.exe
PID 2732 wrote to memory of 2452	2732	tmp.exe	powershell.exe
PID 2732 wrote to memory of 2616	2732	tmp.exe	schtasks.exe
PID 2732 wrote to memory of 2616	2732	tmp.exe	schtasks.exe
PID 2732 wrote to memory of 2616	2732	tmp.exe	schtasks.exe
PID 2732 wrote to memory of 1588	2732	tmp.exe	schtasks.exe
PID 2732 wrote to memory of 1588	2732	tmp.exe	schtasks.exe
PID 2732 wrote to memory of 1588	2732	tmp.exe	schtasks.exe
PID 2732 wrote to memory of 1552	2732	tmp.exe	svchost.exe
PID 2732 wrote to memory of 1552	2732	tmp.exe	svchost.exe
PID 2732 wrote to memory of 1552	2732	tmp.exe	svchost.exe
PID 1552 wrote to memory of 1156	1552	svchost.exe	powershell.exe
PID 1552 wrote to memory of 1156	1552	svchost.exe	powershell.exe
PID 1552 wrote to memory of 1156	1552	svchost.exe	powershell.exe
PID 1552 wrote to memory of 584	1552	svchost.exe	powershell.exe
PID 1552 wrote to memory of 584	1552	svchost.exe	powershell.exe
PID 1552 wrote to memory of 584	1552	svchost.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:2616

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1588

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7FE1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f873a6af2f79e2303dbfdfc15d779c0f

SHA1
8cebc416f00e303e35c8aabaff0d79641e232088

SHA256
ffa2a1eb413ffc765c3de955eab2d08d8cdc9463fba99dceacb6b806bac5c783

SHA512
8db152b36c2b7e3ee5eabb4f48d8a97bde81d0d9e5cf763622922f3cb7a6f8ddec7a6d0449223b48074947d541dd2923dd8e2286f3a1760241efaeb8d914ef27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6433752b4ae77ae7410461db4d28b946

SHA1
1d107cf49bdabd65ebd88bcc44ef381085aa941d

SHA256
75224cab4de72800219285eaea6800adad335be44ce61d5b9539e8f4937724e3

SHA512
e3ae321fe139b094b7accdac9a3167c36362bc46413e67d503daf6cadd6f30e4f870568759471be75b2460132daaefdefab1e991531a836a845934c2d22d4925

Download Submit
\Windows\system\svchost.exe

Filesize
9.4MB

MD5
db3edf03a8a2c8e96fe2d2deaaec76ff

SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1

SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60

SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135

Download Submit
memory/584-71-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/584-72-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/584-70-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/584-69-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/584-67-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/584-68-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/584-73-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1156-59-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1156-60-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1156-61-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1156-58-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1156-57-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1156-56-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-74-0x0000000180000000-0x000000018070E000-memory.dmp

Filesize
7.1MB

Download
memory/1552-50-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1552-47-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/1552-46-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2448-16-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2448-11-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2448-12-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2448-13-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-14-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2448-15-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-18-0x0000000002D4B000-0x0000000002DB2000-memory.dmp

Filesize
412KB

Download
memory/2448-17-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/2448-19-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-33-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-26-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-27-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2452-25-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2452-28-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2452-32-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2452-29-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-31-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2452-30-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2732-48-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2732-0-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2732-6-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2732-4-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2732-3-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2732-2-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download
memory/2732-1-0x0000000140000000-0x0000000140A64400-memory.dmp

Filesize
10.4MB

Download