Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:05
Static task
static1
Behavioral task
behavioral1
Sample
1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3.exe
Resource
win10v2004-20240508-en
General
-
Target
1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3.exe
-
Size
627KB
-
MD5
f64ac2d52a86b86f08b6c4bdc2d443e8
-
SHA1
9268869f34ee1669642d8772273852789ec8fec9
-
SHA256
1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3
-
SHA512
b0ae630ff80b5277408c18a2d6bbd0c405ab370d0549607e3f3093feb1a1f9807fe4b6433d8b9fd5a4c6f105e7583c602594d356df7b5a6a15bc127fc20c7b9b
-
SSDEEP
12288:wSO9Dx9JGtrjUCb5O3GwrJdovetVZK/WNIc9MSuklCpNkkblz1JEV2PjC/64owCY:NOdJGhjXs3GwrYv9/WNjySudblrs2Pj8
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2572 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2924 Parameters.exe -
Loads dropped DLL 1 IoCs
pid Process 1564 taskeng.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 1508 2924 Parameters.exe 34 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2004 1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2924 Parameters.exe Token: SeDebugPrivilege 1508 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2620 wrote to memory of 2572 2620 taskeng.exe 30 PID 2620 wrote to memory of 2572 2620 taskeng.exe 30 PID 2620 wrote to memory of 2572 2620 taskeng.exe 30 PID 1564 wrote to memory of 2924 1564 taskeng.exe 33 PID 1564 wrote to memory of 2924 1564 taskeng.exe 33 PID 1564 wrote to memory of 2924 1564 taskeng.exe 33 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 PID 2924 wrote to memory of 1508 2924 Parameters.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3.exe"C:\Users\Admin\AppData\Local\Temp\1de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Windows\system32\taskeng.exetaskeng.exe {6DA35476-D1D3-4BF8-B2E5-E86385A52125} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASQBuAGQAZQB4AFwAUABhAHIAYQBtAGUAdABlAHIAcwAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASQBuAGQAZQB4AFwAUABhAHIAYQBtAGUAdABlAHIAcwAuAGUAeABlAA==2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BBCC50E0-FFC2-4E81-9C86-ED996D730C69} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\Index\Parameters.exeC:\Users\Admin\AppData\Roaming\Index\Parameters.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
627KB
MD5f64ac2d52a86b86f08b6c4bdc2d443e8
SHA19268869f34ee1669642d8772273852789ec8fec9
SHA2561de70ae6a465a3132c37a907f37be0410e6febd57eb5a02b26711ddab94a85c3
SHA512b0ae630ff80b5277408c18a2d6bbd0c405ab370d0549607e3f3093feb1a1f9807fe4b6433d8b9fd5a4c6f105e7583c602594d356df7b5a6a15bc127fc20c7b9b