37067d525d2040ee7d7be8308eff29820ca32a98dfb4eccef02ecd2e6eb449b2

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 10:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Doc 30042024.exe
Size

700KB
MD5

906c05a0a8bfdee429158ddee0c83f0f
SHA1

51a6f04876623b6d0b5d51c7008719445ef2e4fa
SHA256

37067d525d2040ee7d7be8308eff29820ca32a98dfb4eccef02ecd2e6eb449b2
SHA512

1526c1e426a5f00a3916c493ac2faa1ec7553f3e77abc8ad4609b421e28a8bfe6c2e84f6b07803f34760f67f9acf9623ec3c17cebdeb7c5d3a2dda8136deba0d
SSDEEP

12288:IBmyADA/UpSnMjmSR+093uziocueWFm++mFUvTZL18YEFrK9gbzKs1XmZgI2jdIM:SRFm+pFq18PrdbzKNCdSSydS0

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2924	2792	Doc 30042024.exe	34
PID 2924 set thread context of 1204	2924	RegSvcs.exe	21
PID 2924 set thread context of 2784	2924	RegSvcs.exe	35
PID 2784 set thread context of 1204	2784	setupugc.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2388	powershell.exe
2344	powershell.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2924	RegSvcs.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe
2784	setupugc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2924	RegSvcs.exe
1204	Explorer.EXE
1204	Explorer.EXE
2784	setupugc.exe
2784	setupugc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2388	2792	Doc 30042024.exe	28
PID 2792 wrote to memory of 2388	2792	Doc 30042024.exe	28
PID 2792 wrote to memory of 2388	2792	Doc 30042024.exe	28
PID 2792 wrote to memory of 2388	2792	Doc 30042024.exe	28
PID 2792 wrote to memory of 2344	2792	Doc 30042024.exe	30
PID 2792 wrote to memory of 2344	2792	Doc 30042024.exe	30
PID 2792 wrote to memory of 2344	2792	Doc 30042024.exe	30
PID 2792 wrote to memory of 2344	2792	Doc 30042024.exe	30
PID 2792 wrote to memory of 2644	2792	Doc 30042024.exe	31
PID 2792 wrote to memory of 2644	2792	Doc 30042024.exe	31
PID 2792 wrote to memory of 2644	2792	Doc 30042024.exe	31
PID 2792 wrote to memory of 2644	2792	Doc 30042024.exe	31
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 2792 wrote to memory of 2924	2792	Doc 30042024.exe	34
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2784	1204	Explorer.EXE	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\Doc 30042024.exe
  "C:\Users\Admin\AppData\Local\Temp\Doc 30042024.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Doc 30042024.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tFhweqVBZAYGF.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tFhweqVBZAYGF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F51.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2924
- C:\Windows\SysWOW64\setupugc.exe
  "C:\Windows\SysWOW64\setupugc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F51.tmp

Filesize
1KB

MD5
09077157b9cfae491e3f9d8f04083f80

SHA1
353583325b2dae33be2c77e6cb07e74dd1715cc3

SHA256
38a33c9bf4c6c511995aeca78bf1c3760e3aa4d943a0b613043a9526b7983fcb

SHA512
31236fdbdb936312ae0b0f6a735a365c8c69d16f62652c7de582762af35c482fe316a4b42b931a6a3d04f86488f1fa12f38ac0ec69bddaa23c88329c47985afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0a923f6eb6f1c442564f456efdd6fb10

SHA1
1478412228ce5d90749c6cdb007c9aa702de7d95

SHA256
6179bc3f372810c653789c24fed182e57b993b567aa2e59d48d5fff79a04bb7e

SHA512
87d8bcad9dcd1dce3e7ffc56b5db9a8523328b75740ef9ad4fb0d910c78c992ac15eef069e9d3f338460dd371c3a92b98f6562e93e75d4b12f7543dfa876508e

Download Submit
memory/1204-30-0x0000000000190000-0x0000000000290000-memory.dmp

Filesize
1024KB

Download
memory/1204-27-0x00000000031E0000-0x00000000032E0000-memory.dmp

Filesize
1024KB

Download
memory/2784-29-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2784-28-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2792-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2792-6-0x0000000004ED0000-0x0000000004F5A000-memory.dmp

Filesize
552KB

Download
memory/2792-5-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2792-25-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-0-0x0000000000220000-0x00000000002D4000-memory.dmp

Filesize
720KB

Download
memory/2792-3-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/2792-2-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2792-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2924-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download