649c75d99b6d8e237d8a8d0142796fcbfa7381674628201f474b58039144ec2a

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Size

2.4MB
MD5

989cb0bfa4cc0bd8e8302f47add8e368
SHA1

515b82386397ec822edbce6f24a6c4b9d13b0344
SHA256

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef
SHA512

9211bb8622c7dee790db4847a9095bfd8dc48d324a400f374ab42ce65c1e2295cc6392a16e031282f6b3fa29a1881487016c9b817e05d65420d7db41f4548583
SSDEEP

24576:pu4wFHPSaD/zXFRRhOnYQb6VOOmWC9+HW0MigJS3Cd+XHKrQD2YR:

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

pid	Process
2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
3536	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid	Process
1928	taskeng.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

description	pid	Process	procid_target
PID 1292 set thread context of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 2760 set thread context of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
4552	powershell.exe
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exepowershell.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

description	pid	Process
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Token: SeDebugPrivilege	4792	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Token: SeDebugPrivilege	3536	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exetaskeng.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

description	pid	Process	procid_target
PID 1292 wrote to memory of 4552	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	31
PID 1292 wrote to memory of 4552	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	31
PID 1292 wrote to memory of 4552	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	31
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1292 wrote to memory of 4792	1292	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	33
PID 1928 wrote to memory of 2760	1928	taskeng.exe	36
PID 1928 wrote to memory of 2760	1928	taskeng.exe	36
PID 1928 wrote to memory of 2760	1928	taskeng.exe	36
PID 2760 wrote to memory of 2876	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	37
PID 2760 wrote to memory of 2876	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	37
PID 2760 wrote to memory of 2876	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	37
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39
PID 2760 wrote to memory of 3536	2760	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
"C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

C:\Windows\system32\taskeng.exe
taskeng.exe {1CFAE3D8-07CB-43DE-BF67-BE4D18A3D97A} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
    C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0847e41bda66ce4bba6e0cdd82356f29

SHA1
b1fa8110ac67fa6d1ac6130cbe1f50c06dffce51

SHA256
9273daa607b347b5bef06879bee5a107d15503821ea04315c60e7327d51a1ef3

SHA512
a3a3302a9797e90b9dc2fa693704e3313d8a0475b9c2682da908aa32b1aaf227b7aea94438181dab7366fc13d8adaf42fba36f522966ef0d29e26acaeb8a51a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P0HOMY6MSZ5S21E96EZT.temp

Filesize
7KB

MD5
968c7f47f0f478f12d3a0f7450ee4b8d

SHA1
37d93693803b82a47f0e5064425a5492740fcde6

SHA256
2e5817578a1b6e217259ad6f3b8e6cfce576dfc108e0a371de21e08a80b10731

SHA512
2b3a2201ff26e978b15ba1bd06dda4741332e49761e34cc78f926e7346b030a76a84a378bbe8f11207c6ed28f9d5a6890c73922f6dfc720d16847d5006224b13

Download Submit
\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Filesize
2.4MB

MD5
989cb0bfa4cc0bd8e8302f47add8e368

SHA1
515b82386397ec822edbce6f24a6c4b9d13b0344

SHA256
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef

SHA512
9211bb8622c7dee790db4847a9095bfd8dc48d324a400f374ab42ce65c1e2295cc6392a16e031282f6b3fa29a1881487016c9b817e05d65420d7db41f4548583

Download Submit
memory/1292-29-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-49-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-5-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-7-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-33-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-41-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-25-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-55-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-59-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-63-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-67-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-65-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-61-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-57-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-53-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-51-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-47-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-45-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-27-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-37-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-39-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-35-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-31-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1292-43-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-4-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-1-0x0000000000120000-0x0000000000386000-memory.dmp

Filesize
2.4MB

Download
memory/1292-21-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-19-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-17-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-15-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-13-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-11-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-10-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-2098-0x0000000000D10000-0x0000000000DA2000-memory.dmp

Filesize
584KB

Download
memory/1292-23-0x000000001C420000-0x000000001C550000-memory.dmp

Filesize
1.2MB

Download
memory/1292-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-2105-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1292-2106-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1292-3-0x000000001C420000-0x000000001C556000-memory.dmp

Filesize
1.2MB

Download
memory/1292-2119-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-3248-0x0000000000A50000-0x0000000000CB6000-memory.dmp

Filesize
2.4MB

Download
memory/2760-5343-0x0000000000CC0000-0x0000000000D52000-memory.dmp

Filesize
584KB

Download
memory/2876-5349-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/4552-2104-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/4552-2103-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/4792-2118-0x0000000000D00000-0x0000000000DA4000-memory.dmp

Filesize
656KB

Download
memory/4792-3240-0x0000000002680000-0x00000000026CE000-memory.dmp

Filesize
312KB

Download
memory/4792-3241-0x00000000026D0000-0x000000000271C000-memory.dmp

Filesize
304KB

Download
memory/4792-3242-0x000000001AF80000-0x000000001AFD4000-memory.dmp

Filesize
336KB

Download
memory/4792-2117-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download