17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 03:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe
Size

1.7MB
MD5

2c6381ccdb06c90a2bb76ee92b1fb1c7
SHA1

02695069282c95b21abf6efaf188ca541fa64893
SHA256

17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723
SHA512

65f5b0c286692aced95c6d8f1883de21154c5217ddf81e05f3221aeb0e1942acc3197bf373fc38f91220c8f5181de06bcea53d0bbf071d7fc76ff150dfdbdf4c
SSDEEP

49152:meKzRteZ9/3eFdPxP+pAbTmVPDhpltCmoo8:XQzeZiPogTmVu

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
988	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	tor.exe
4864	tor.exe

Loads dropped DLL 4 IoCs

pid	Process
1364	InstallUtil.exe
1364	InstallUtil.exe
1364	InstallUtil.exe
1364	InstallUtil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1364	InstallUtil.exe
988	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe
Token: SeDebugPrivilege	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe
Token: SeDebugPrivilege	1364	InstallUtil.exe
Token: SeDebugPrivilege	988	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 1364	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	30
PID 1076 wrote to memory of 988	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	31
PID 1076 wrote to memory of 988	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	31
PID 1076 wrote to memory of 988	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	31
PID 1076 wrote to memory of 988	1076	17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe	31
PID 1364 wrote to memory of 4828	1364	InstallUtil.exe	34
PID 1364 wrote to memory of 4828	1364	InstallUtil.exe	34
PID 1364 wrote to memory of 4828	1364	InstallUtil.exe	34
PID 1364 wrote to memory of 4828	1364	InstallUtil.exe	34
PID 1364 wrote to memory of 4864	1364	InstallUtil.exe	35
PID 1364 wrote to memory of 4864	1364	InstallUtil.exe	35
PID 1364 wrote to memory of 4864	1364	InstallUtil.exe	35
PID 1364 wrote to memory of 4864	1364	InstallUtil.exe	35

C:\Users\Admin\AppData\Local\Temp\17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe
"C:\Users\Admin\AppData\Local\Temp\17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\tor-expert-bundle\tor\tor.exe
    "C:\Users\Admin\AppData\Local\Temp\tor-expert-bundle\tor\tor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\tor-expert-bundle\tor\tor.exe
    "C:\Users\Admin\AppData\Local\Temp\tor-expert-bundle\tor\tor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\17f5e5faec0b08c1db60cfe402d3f74e7155f7e14304c3d78b1536d40ac4b723.exe' -Force
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
96467d136c044c96750f4f7a5c4467f4

SHA1
b58e9d05d9a2d7f3718eb0d1f268afdf4e7a3934

SHA256
4329a7394ca90c818e1114b36957972ae9ac699318ad234225143f54747ddb22

SHA512
c1ce20cdd76b36fd293b0bc38075fc79138bb377a4b0033f21e4a5a7b0291ff496f4feec1deff5a1a290ae67aac76e04f7c2581804523bb074f1f5d7d173264d

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
8.3MB

MD5
0f97c488156da894195876ae168dbb15

SHA1
932f60cd5f1195e435b91b60682f3a8bad098862

SHA256
cfcb3660b033f4c25f64b4c12b1cb405816a9dac9da6c3321160b549a3dba219

SHA512
c56899caec42e2422db758692e2b9004311fadb03d5c48b0156908db1d375edfd8e7240d18176eb258af92569067fe451b4ccb1d40bab80159fb65832692bc70

Download Submit
\Users\Admin\AppData\Local\Temp\tor-expert-bundle\tor\tor.exe

Filesize
8.2MB

MD5
5179f849028ea7e91880fdbec33755ea

SHA1
b6bb07ecd7693a63d8fd2b17bb90d233b20e11ca

SHA256
005d1c477774807f69d97aed91dd2baf8eeefd3f657c77db393b5f2fa1860537

SHA512
3fe1a6504c9872f39edee937fc1ee04577ce01fd26b869d6c5edbc96799ae5dfce593434b085dc21a35e1d2b84ab94cf947de6f6196550acc717e65325395270

Download Submit
memory/1076-68-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-66-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-64-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-62-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-60-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-58-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-56-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-54-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-53-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-50-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-48-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-46-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-44-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-42-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-40-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-36-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-34-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-32-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-30-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-28-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-26-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-24-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-22-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-20-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-18-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-16-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-12-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-10-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-38-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-14-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-8-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-6-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-5-0x0000000004FE0000-0x000000000518F000-memory.dmp

Filesize
1.7MB

Download
memory/1076-4-0x0000000004FE0000-0x0000000005194000-memory.dmp

Filesize
1.7MB

Download
memory/1076-3-0x0000000004D20000-0x0000000004ED6000-memory.dmp

Filesize
1.7MB

Download
memory/1076-2-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1076-1-0x0000000000270000-0x0000000000434000-memory.dmp

Filesize
1.8MB

Download
memory/1076-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/1076-1079-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1076-1080-0x0000000005680000-0x00000000057B0000-memory.dmp

Filesize
1.2MB

Download
memory/1076-1081-0x00000000007E0000-0x000000000082C000-memory.dmp

Filesize
304KB

Download
memory/1076-1082-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1076-1083-0x0000000000D80000-0x0000000000DD4000-memory.dmp

Filesize
336KB

Download
memory/1076-1099-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1364-1098-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1364-1101-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1364-1102-0x0000000000880000-0x0000000000996000-memory.dmp

Filesize
1.1MB

Download
memory/1364-1100-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1364-3377-0x0000000002530000-0x00000000025CE000-memory.dmp

Filesize
632KB

Download
memory/1364-3380-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download