649c75d99b6d8e237d8a8d0142796fcbfa7381674628201f474b58039144ec2a

Resubmissions

15-11-2024 18:05

241115-wpjcdsxrdy 10

11-11-2024 21:40

241111-1h6xbsxcql 10

03-12-2022 17:54

221203-wg4ncscc33 10

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Size

2.4MB
MD5

989cb0bfa4cc0bd8e8302f47add8e368
SHA1

515b82386397ec822edbce6f24a6c4b9d13b0344
SHA256

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef
SHA512

9211bb8622c7dee790db4847a9095bfd8dc48d324a400f374ab42ce65c1e2295cc6392a16e031282f6b3fa29a1881487016c9b817e05d65420d7db41f4548583
SSDEEP

24576:pu4wFHPSaD/zXFRRhOnYQb6VOOmWC9+HW0MigJS3Cd+XHKrQD2YR:

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

pid	process
1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
848	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

2480 taskeng.exe

pid	process
2480	taskeng.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

description	pid	process	target process
PID 2500 set thread context of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 set thread context of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

4488 powershell.exe
3856 powershell.exe

pid	process
4488	powershell.exe
3856	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exepowershell.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

description	pid	process
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Token: SeDebugPrivilege	4780	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
Token: SeDebugPrivilege	848	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exetaskeng.exe932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
"C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  C:\Users\Admin\AppData\Local\Temp\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4780

C:\Windows\system32\taskeng.exe
taskeng.exe {7A8A4E3A-F5F7-4109-9E56-DEC78F0CD2DF} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
    C:\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c60b387bfb41f37d9dcd76cf75ceec04

SHA1
5d0096f527de36e1f473a4c474106410f1948c23

SHA256
88b5a5ab875591654dbb1755a2883c855e90a1f229bc9627c989c2fad9820be0

SHA512
9026737e6c51d44ae65ee1590fdba62f5d64a9c7cdd2b5e22be677d511011fed4acb2ef99c9c9c968c75d6e78fe4a6165dfd7d67805ff2d9dbba9eec91167c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AOOGCPJPJOSV0ER4Z8IW.temp

Filesize
7KB

MD5
8e0959a8f9d4dc9432d1b05d94d65fbd

SHA1
a0ea42826d6756fd20db1077b9160dab3689413d

SHA256
4dc6c62515ead4990d401bbdb796ad1f06c85cfd75b4bd298c0cefe0d32858eb

SHA512
50a41fdf6b6a26e22b07a96849937e7e8e5e8f1898195caf6675f85695cea2d379077bc9590d1c686172c6d5a991a7a8aa8f2ab426af6daa403cd8202b5c93ec

Download Submit
\Users\Admin\AppData\Roaming\932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe

Filesize
2.4MB

MD5
989cb0bfa4cc0bd8e8302f47add8e368

SHA1
515b82386397ec822edbce6f24a6c4b9d13b0344

SHA256
932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef

SHA512
9211bb8622c7dee790db4847a9095bfd8dc48d324a400f374ab42ce65c1e2295cc6392a16e031282f6b3fa29a1881487016c9b817e05d65420d7db41f4548583

Download Submit
memory/1696-5343-0x000000001B000000-0x000000001B092000-memory.dmp

Filesize
584KB

Download
memory/1696-3248-0x0000000000080000-0x00000000002E6000-memory.dmp

Filesize
2.4MB

Download
memory/2500-47-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-51-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-43-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-35-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-41-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-11-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-13-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-15-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-17-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-19-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-21-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-23-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-67-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-65-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-63-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-39-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-59-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-57-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-55-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-53-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-49-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2500-45-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-2098-0x000000001BE90000-0x000000001BF22000-memory.dmp

Filesize
584KB

Download
memory/2500-9-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-7-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-61-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-37-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-33-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-31-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-29-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-27-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-25-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-1-0x00000000008F0000-0x0000000000B56000-memory.dmp

Filesize
2.4MB

Download
memory/2500-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-2105-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2500-2106-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-3-0x000000001C720000-0x000000001C856000-memory.dmp

Filesize
1.2MB

Download
memory/2500-4-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/2500-2119-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-5-0x000000001C720000-0x000000001C850000-memory.dmp

Filesize
1.2MB

Download
memory/3856-5349-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/3856-5350-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/4488-2104-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/4488-2103-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/4780-3241-0x0000000000C60000-0x0000000000CAC000-memory.dmp

Filesize
304KB

Download
memory/4780-3242-0x0000000002700000-0x0000000002754000-memory.dmp

Filesize
336KB

Download
memory/4780-3240-0x00000000008A0000-0x00000000008EE000-memory.dmp

Filesize
312KB

Download
memory/4780-2118-0x00000000025C0000-0x0000000002664000-memory.dmp

Filesize
656KB

Download
memory/4780-2117-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download

description	pid	process	target process
PID 2500 wrote to memory of 4488	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	powershell.exe
PID 2500 wrote to memory of 4488	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	powershell.exe
PID 2500 wrote to memory of 4488	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	powershell.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2500 wrote to memory of 4780	2500	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2480 wrote to memory of 1696	2480	taskeng.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2480 wrote to memory of 1696	2480	taskeng.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 2480 wrote to memory of 1696	2480	taskeng.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 3856	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	powershell.exe
PID 1696 wrote to memory of 3856	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	powershell.exe
PID 1696 wrote to memory of 3856	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	powershell.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe
PID 1696 wrote to memory of 848	1696	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe	932380926bc6bffcdf0bc446af37d140ce22426f651679e3b7d1c8fea83d14ef.exe