52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
Size

3.2MB
MD5

56969d3e42eb60bc95c97d51377f0de8
SHA1

6d9844be2bbcc86f9c07d8d40c774ce642502c4f
SHA256

52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79
SHA512

ad81e190b09b211a63ea9917934909576ee43c8f97f1b98020c0add770d57214a7e4ae11bc9601f42fced0124072a148d68dddd175995e1a8126de03d59112a0
SSDEEP

98304:DHK+r2k6cc9zrObZKEM8O8PluQhfgN5/7FBR:DHKRk8CsEEOfyd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	taskhost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\spoolsv.exe	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
396	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
396	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
980	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
Token: SeDebugPrivilege	980	taskhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 832	2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe	31
PID 2644 wrote to memory of 832	2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe	31
PID 2644 wrote to memory of 832	2644	52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe	31
PID 832 wrote to memory of 1752	832	cmd.exe	33
PID 832 wrote to memory of 1752	832	cmd.exe	33
PID 832 wrote to memory of 1752	832	cmd.exe	33
PID 832 wrote to memory of 396	832	cmd.exe	34
PID 832 wrote to memory of 396	832	cmd.exe	34
PID 832 wrote to memory of 396	832	cmd.exe	34
PID 832 wrote to memory of 980	832	cmd.exe	35
PID 832 wrote to memory of 980	832	cmd.exe	35
PID 832 wrote to memory of 980	832	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe
"C:\Users\Admin\AppData\Local\Temp\52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GIQ8zR8vsm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1752
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:396
- - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe
    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
3.2MB

MD5
56969d3e42eb60bc95c97d51377f0de8

SHA1
6d9844be2bbcc86f9c07d8d40c774ce642502c4f

SHA256
52f9a067ce90bc745bc9a9d467a70e17f612f0d3944d730249fd980cdf5c3c79

SHA512
ad81e190b09b211a63ea9917934909576ee43c8f97f1b98020c0add770d57214a7e4ae11bc9601f42fced0124072a148d68dddd175995e1a8126de03d59112a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIQ8zR8vsm.bat

Filesize
203B

MD5
18f7e891941596ef11239ee4cda7feae

SHA1
ce3bd9ec68c8d66d7bbf124f5b6feb24cb8e4dfb

SHA256
bfb9393a4ebfdc3b74dde0a094a21e371400e97c23bee398054ff6529db199af

SHA512
86c0cba8f4393035c301d613e51290df644d699e900a40543d4af610000411a25c52087849997ed09ae3ea08400ae858726d5be624cdd049dca243a5fe408a6e

Download Submit
memory/980-3634-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2644-0-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/2644-2-0x000000001AF60000-0x000000001B2EC000-memory.dmp

Filesize
3.5MB

Download
memory/2644-6-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-10-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-12-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-3-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-18-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-16-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-20-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-24-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-22-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-4-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-8-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-28-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-26-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-14-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-30-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-32-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-36-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-34-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-38-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-41-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-44-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-46-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-48-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-50-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-52-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-56-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-58-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-64-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-66-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-62-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-60-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-54-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-42-0x000000001AF60000-0x000000001B2E7000-memory.dmp

Filesize
3.5MB

Download
memory/2644-371-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3560-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3561-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3563-0x00000000005D0000-0x00000000005F6000-memory.dmp

Filesize
152KB

Download
memory/2644-3565-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3568-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

Filesize
4KB

Download
memory/2644-3567-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2644-3573-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3578-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2644-3581-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2644-3592-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/2644-3590-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3594-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2644-3596-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/2644-3600-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/2644-3598-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2644-3602-0x000000001A6A0000-0x000000001A6FA000-memory.dmp

Filesize
360KB

Download
memory/2644-3604-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download
memory/2644-3606-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2644-3610-0x00000000010F0000-0x0000000001108000-memory.dmp

Filesize
96KB

Download
memory/2644-3614-0x000000001AD30000-0x000000001AD7E000-memory.dmp

Filesize
312KB

Download
memory/2644-3612-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2644-3608-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2644-3589-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2644-3587-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3631-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3586-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/2644-3584-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3583-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2644-3579-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3576-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-3575-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download
memory/2644-3572-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2644-3570-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/2644-3564-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download