f6c65ad0928c2855ca9eceb44957e3fb6a634d0c2ff4b4d595491dd52ddb1b65

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VC_Redist.86x.exe
Size

76.4MB
MD5

7a5033c55b79ff312e386b82b595b79a
SHA1

fca8752eb08f13e81d6c36a2e02c3e44413c7381
SHA256

f6c65ad0928c2855ca9eceb44957e3fb6a634d0c2ff4b4d595491dd52ddb1b65
SHA512

0c8b2360d72dd1e8a69ec2f8100762ce18b9826d891e8eb6bf8d0eb5819c713fe8a07fae01f074c103afb33c6389b16f9d3f16e3dcad7edd6f204ee3180d9c4e
SSDEEP

1572864:NviEZjFAWSk8IpG7V+VPhqYdfME7mjx6iYweyJulZUdgu0WV6jYm11qZ9U3:NvZZmWSkB05awcfQtnpuK0cmc9U

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2520	VC_Redist.86x.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001cbeb-1252.dat	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe
Token: 33	2472	mmc.exe
Token: SeIncBasePriorityPrivilege	2472	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2472	mmc.exe
2472	mmc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2520	1660	VC_Redist.86x.exe	28
PID 1660 wrote to memory of 2520	1660	VC_Redist.86x.exe	28
PID 1660 wrote to memory of 2520	1660	VC_Redist.86x.exe	28
PID 2472 wrote to memory of 2864	2472	mmc.exe	30
PID 2472 wrote to memory of 2864	2472	mmc.exe	30
PID 2472 wrote to memory of 2864	2472	mmc.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VC_Redist.86x.exe
"C:\Users\Admin\AppData\Local\Temp\VC_Redist.86x.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\VC_Redist.86x.exe
  "C:\Users\Admin\AppData\Local\Temp\VC_Redist.86x.exe"
  2⤵
  - Loads dropped DLL
  PID:2520

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1124
  2⤵
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16602\python312.dll

Filesize
1.7MB

MD5
73ecc8d4decf6f198d6505bde482e37a

SHA1
ed30f5bd628b4a5de079062ea9b909b99807021c

SHA256
b598545be6c99f7db852a510768ecf80ed353fad3989af342bc6faf66fd64648

SHA512
56923c477d35680aed73980e0404768f841da868ca11f39888caff0fc06f4ae906551b4bd47f98dda2cc2d81ea9eed17fa7c17aa59d4d7c37510ba24d7ac5976

Download Submit
memory/2472-2512-0x000000001D5D0000-0x000000001D916000-memory.dmp

Filesize
3.3MB

Download
memory/2472-2508-0x000007FEF47F0000-0x000007FEF518D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-2513-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2509-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2516-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2510-0x000007FEF47F0000-0x000007FEF518D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-2511-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2515-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2507-0x00000000026D0000-0x00000000026EE000-memory.dmp

Filesize
120KB

Download
memory/2472-2506-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2472-2521-0x000007FEF47F0000-0x000007FEF518D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-2517-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2518-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/2472-2514-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2472-2519-0x00000000049A0000-0x0000000004A20000-memory.dmp

Filesize
512KB

Download
memory/2520-1254-0x000007FEF5D60000-0x000007FEF6425000-memory.dmp

Filesize
6.8MB

Download
memory/2864-2520-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download