64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab | Triage

Resubmissions

17/04/2024, 12:37

240417-pths4afc45 8

17/04/2024, 12:37

240417-ptg7kafc43 8

17/04/2024, 12:36

240417-ptcbbafc34 8

17/04/2024, 12:36

240417-ptbpsafc29 8

17/04/2024, 12:36

240417-pta39afc28 8

16/04/2024, 13:44

240416-q1vxnsda7z 8

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 12:36

Sharing

Report Analysis Logs

General

Target

64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
Size

5.3MB
MD5

63552c60caeefe5f2d0e4028b3cc65d3
SHA1

dbed3040d53495a6afda01bfb8399376792eb48c
SHA256

64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
SHA512

caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
SSDEEP

98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File opened for modification	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2540	powershell.exe
2816	powershell.exe
2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
1308	powershell.exe
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2540	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	28
PID 2156 wrote to memory of 2540	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	28
PID 2156 wrote to memory of 2540	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	28
PID 2156 wrote to memory of 2816	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	30
PID 2156 wrote to memory of 2816	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	30
PID 2156 wrote to memory of 2816	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	30
PID 2156 wrote to memory of 1640	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	32
PID 2156 wrote to memory of 1640	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	32
PID 2156 wrote to memory of 1640	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	32
PID 2156 wrote to memory of 2044	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	34
PID 2156 wrote to memory of 2044	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	34
PID 2156 wrote to memory of 2044	2156	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	34
PID 2044 wrote to memory of 2460	2044	svchost.exe	37
PID 2044 wrote to memory of 2460	2044	svchost.exe	37
PID 2044 wrote to memory of 2460	2044	svchost.exe	37
PID 2044 wrote to memory of 1308	2044	svchost.exe	39
PID 2044 wrote to memory of 1308	2044	svchost.exe	39
PID 2044 wrote to memory of 1308	2044	svchost.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
"C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:1640
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cc02976cf21fadf4fa5c6976980cbfe9

SHA1
9e109bda62ba6815afc4d5e8ab3c5558eb60467c

SHA256
21c22ed5098e2204493d9c8fd8948799374355add47b4b43a5e848003ec285a3

SHA512
f7245f73d60a185e2b3a4dedf83a674f7fda36246887a9a042cb4d74795d30e876bab1e4118896614d8712acd56bd037677eff07a912a99db3fd2c4a60b34f29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NMB0EGFSJTMZIBS5SCZ7.temp

Filesize
7KB

MD5
25de9b01af7ea78915505610f496ffe2

SHA1
bb1666b4f3d5970fc1c1affcae204642421ea836

SHA256
9f54cbefdc30e83a63cb67adac90a2270e22367ade2e99a01e6cb295a0524457

SHA512
7d6ea3353c2606858e9d78190aabb3271ad3657d2770f9be7be1f1375273143a5e33077f65ea43308e59d9aa31e67ef2c10c3bc8011d8d19a82bbdc7aa210769

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
8c29dca81612f559ac2e9aa5012896e4

SHA1
e7b504c8be6ae987ced54380dc2a34d03c613ef7

SHA256
b8ac5707fb24e123ee2bb53e97cfb166b3e86f1ee46b36bef7c41cf0f58047fd

SHA512
7c910b5c97dc3f556d35c9b48dd5ea4c4b55827bb66b508347c63650ad744f3992280df808a187f06daede1895347c46787fd110ba2015f92a927ab1f650a98c

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.9MB

MD5
0395a3bde1be2534454936abbc0fe7e9

SHA1
09c3bc8fa097c9e1f70951572e106719baf8acd5

SHA256
823de6a79909537e0acae9bf4cb51905e0a446e46b88bff523abbcd2ea40cb33

SHA512
347ea37c3a03c56caa85930e67adcc28c749a0b1bba33107efcaa5a4d63c9881ea33f95450c1e72d99beed6d3520236db8c3551c588f0cee461a7784c20f3dfb

Download Submit
\Windows\system\svchost.exe

Filesize
5.3MB

MD5
63552c60caeefe5f2d0e4028b3cc65d3

SHA1
dbed3040d53495a6afda01bfb8399376792eb48c

SHA256
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

SHA512
caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

Download Submit
memory/1308-69-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/1308-76-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1308-67-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1308-66-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/1308-65-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1308-63-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1308-82-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2044-72-0x000000000B970000-0x000000000BE6C000-memory.dmp

Filesize
5.0MB

Download
memory/2044-91-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2044-48-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2044-46-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2156-42-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2156-6-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2156-4-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2156-5-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2156-3-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2156-0-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/2460-75-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-60-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/2460-71-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2460-70-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2460-61-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-68-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2460-62-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2460-64-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-17-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2540-28-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2540-20-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-29-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2540-30-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-27-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/2540-26-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-21-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2816-23-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2816-16-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-22-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-25-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-18-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-24-0x00000000028DB000-0x0000000002942000-memory.dmp

Filesize
412KB

Download
memory/2816-19-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download