Overview

overview

7

Static

static

3

e4440c2e83...56.exe

windows7-x64

7

e4440c2e83...56.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 02:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e4440c2e83349881f4eb518061cf8d670fc7b21fc44f5ab2739aa544215ef656.exe

  • Size

    515KB

  • MD5

    12ce0fcbac7ec93f74fa2cdebe7823c2

  • SHA1

    3e6e1492189ec5f0c2759c6c32b54b41a0ffcfbe

  • SHA256

    e4440c2e83349881f4eb518061cf8d670fc7b21fc44f5ab2739aa544215ef656

  • SHA512

    04d50d43e2c2d7b1d47c5b31a64d88cdea0838a3c9f977e14195d2991b358b94796dd51228fd0e3be52e6346e5f53ca5ba198bbecbb56b5ce9d2423cb69482ff

  • SSDEEP

    12288:L8T0rl0xZpu38AmaNmOI6d8gYlZHRQE43:L+IWfo3zNX8gYnHRQE43

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4440c2e83349881f4eb518061cf8d670fc7b21fc44f5ab2739aa544215ef656.exe
    "C:\Users\Admin\AppData\Local\Temp\e4440c2e83349881f4eb518061cf8d670fc7b21fc44f5ab2739aa544215ef656.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Roaming\Triglock.exe
      "C:\Users\Admin\AppData\Roaming\Triglock.exe"
      2⤵
      • Executes dropped EXE
      PID:2956
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\system32\cmd.exe
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2964
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2632
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2932
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
          C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1344
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
              6⤵
              • Creates scheduled task(s)
              PID:1636
          • C:\Windows\system32\services32.exe
            "C:\Windows\system32\services32.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1192
            • C:\Windows\system32\cmd.exe
              "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2028
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3064
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2212
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1932
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:588
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:696
              • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1032
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                  8⤵
                    PID:1448
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                      9⤵
                      • Creates scheduled task(s)
                      PID:2276
                  • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                    "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:1524
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                    8⤵
                      PID:2664
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        9⤵
                          PID:1228
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2188
                  • C:\Windows\system32\choice.exe
                    choice /C Y /N /D Y /T 3
                    6⤵
                      PID:2044

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                  Filesize

                  68KB

                  MD5

                  29f65ba8e88c063813cc50a4ea544e93

                  SHA1

                  05a7040d5c127e68c25d81cc51271ffb8bef3568

                  SHA256

                  1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                  SHA512

                  e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  Filesize

                  304B

                  MD5

                  1f9c97d7d4e6b19cca7c972a0215bc20

                  SHA1

                  6523ba7575de87519de530d14dbe57bd6f60b8c3

                  SHA256

                  8e49c7b267def80501a2479409757f3c371d70965a7dca6b9fe712d9ee258071

                  SHA512

                  aac8e491fe0bbcc5384e7f5f2f2f1e441a5fb169e7d4c4aee6727aadb51b52af720e87cdf58c8ddfcdd9ba285a1542b0637cad7081dab3da08e633860d57cd41

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TarAE6F.tmp
                  Filesize

                  177KB

                  MD5

                  435a9ac180383f9fa094131b173a2f7b

                  SHA1

                  76944ea657a9db94f9a4bef38f88c46ed4166983

                  SHA256

                  67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                  SHA512

                  1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  56ffadbe36e9236c99985f838768bc00

                  SHA1

                  a1a97d00c0a7b4c9613abdba743d0bbc23a60e7f

                  SHA256

                  ac80e78bd431e0e8fcd88e27529f3d6ab60b45a9d70a847db504d5875b6a45a3

                  SHA512

                  0646dfc7e3d40a58faf6e5158406eb873fc3c1da2cc52477413f4f8ec8d8ba8d0c06b8a6b44051340d9613960e2e6facf04729b619137218e0f54801509119ba

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XL18FDZD7NNFZJ3EU08P.temp
                  Filesize

                  7KB

                  MD5

                  fc46cc5231b4f3524e68f9beacc8d796

                  SHA1

                  a73401b8a5d733b7bad4fc4304567d09d0c4dcf5

                  SHA256

                  a6147b3acc042ae1a45d2fb2dfa861163460cbaf3e02413060549709641fb9a2

                  SHA512

                  bf7c29bb5a54404725e7b2658a37d82b3c5aa5362ea0e8b010527db4739456e88bef7f7c9af5626eebd5ca538eed0a532a32c83f9d733789ac0c1d4f85a4f1eb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Triglock.exe
                  Filesize

                  318KB

                  MD5

                  8c5d6d26e5eb3c44d78b49c6fb84917d

                  SHA1

                  7bf88ed3da0c4a10e886dc574efc3f9931b3ed0c

                  SHA256

                  28fd677f28f68716623d52ebbd6e371b1fdf2da08c66c0cfc881f0d3034b8705

                  SHA512

                  045bf0303ff6293bc73f6bf54f291b35c0289b9c6d61d1689672f2305e74f152a7dd895e3df6509f99dda4c182788543d1557cfd155d57791e2e7d18d599d4f6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  Filesize

                  30KB

                  MD5

                  13f5033484939662a0346a5b44afd9cb

                  SHA1

                  1ead60defc4d300323b22ecef7d5693c64e4821c

                  SHA256

                  4e86e7fbccf0e9ebc2123d0a13bcab52551b1aeed587a47f46850f438cddc151

                  SHA512

                  7664364db479ef9761954713e5ca4514f4b1a24d874bfa3f255c93361f22f6e8ac9d6e69a9fa5a45a8f3195a12ba7a91a2481fd8ef70d83f3017c3911eae102d

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\svchost32.exe
                  Filesize

                  23KB

                  MD5

                  56a1be0bb3f4920ed7f46328a3b1a665

                  SHA1

                  65b0baa5702ffdacb35f6a63c050214d6a29265e

                  SHA256

                  bc964ab93f33cdfbfbf1c94c7b16708b0f0a1f785e0d95d7ff0b2aa34f365761

                  SHA512

                  60051e7e28e155addb07af6d02ad59712c8263f2cf6c37e9b96aff9bc8d8cdca47d0e0acfd41bd6c9a9ed3db332ffa143be5624859cce303ac332af9be2f6ef0

                  Download Submit

                • \Windows\System32\Microsoft\Telemetry\sihost32.exe
                  Filesize

                  7KB

                  MD5

                  b5dea1dff6287537c8b0b7aa67f50781

                  SHA1

                  ea3de75d7b68d767a9f386afbbca2fc6e62a0b67

                  SHA256

                  b84264d268395ae7790b82927de9fe4f73b5574848e814311f6c560641a6b7da

                  SHA512

                  b11232eed759c197c1a888065379fdf31aa6e45da2e8097975e8a728d20a49d4f801d8ee486c05e3a5dd5f9bc2ca4c20c36d6a6075ec2077f0c7597d506d8f1e

                  Download Submit

                • memory/1032-87-0x000000013F730000-0x000000013F73A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1192-59-0x000000013FF90000-0x000000013FF9C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1524-94-0x000000013F3E0000-0x000000013F3E6000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/1560-51-0x000000013FB70000-0x000000013FB7A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2632-32-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2632-33-0x0000000001E60000-0x0000000001E68000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2912-0-0x0000000074750000-0x0000000074CFB000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2912-1-0x0000000074750000-0x0000000074CFB000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2912-2-0x0000000000690000-0x00000000006D0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2912-16-0x0000000074750000-0x0000000074CFB000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2932-39-0x000000001B570000-0x000000001B852000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2932-40-0x0000000002250000-0x0000000002258000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2956-19-0x0000000072670000-0x0000000072D5E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2956-81-0x0000000072670000-0x0000000072D5E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2956-17-0x00000000008A0000-0x00000000008F6000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/2964-25-0x000000001B720000-0x000000001BA02000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2964-26-0x0000000001D60000-0x0000000001D68000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3016-20-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/3016-18-0x000000013F690000-0x000000013F69C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3016-52-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

                  Filesize

                  9.9MB

                  Download