1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe
Size

453KB
MD5

25a1ff912b26dcd19cbd5667934e68bb
SHA1

d76a1e23bfc2594f7714ed109e6e2a5cf4b17908
SHA256

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e
SHA512

b17b1d4ea1a7afb6954ba7afb8f438f1c37f59792f584b7904abb4a704d1c0a05f2a179997d83a637f344b64efc7eef88b3dbbb781e836dfc632eeb3363f289a
SSDEEP

12288:imKmKCT6CTQNbPQMp3UoyuQTA7rQmDjrhf:5lT7i1p3rrE2jp

Score

10^/10

defense_evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe

description	pid	Process	procid_target
PID 1656 created 424	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	5

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe

description	pid	Process	procid_target
PID 1656 set thread context of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exedllhost.exe

pid	Process
1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe
2148	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exedllhost.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe
Token: SeDebugPrivilege	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe
Token: SeDebugPrivilege	2148	dllhost.exe
Token: SeAuditPrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exedllhost.exe

description	pid	Process	procid_target
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 1656 wrote to memory of 2148	1656	1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe	29
PID 2148 wrote to memory of 424	2148	dllhost.exe	5
PID 2148 wrote to memory of 468	2148	dllhost.exe	6
PID 2148 wrote to memory of 484	2148	dllhost.exe	7
PID 2148 wrote to memory of 492	2148	dllhost.exe	8
PID 2148 wrote to memory of 604	2148	dllhost.exe	9
PID 2148 wrote to memory of 680	2148	dllhost.exe	10
PID 2148 wrote to memory of 740	2148	dllhost.exe	11
PID 2148 wrote to memory of 808	2148	dllhost.exe	12
PID 2148 wrote to memory of 832	2148	dllhost.exe	13
PID 2148 wrote to memory of 988	2148	dllhost.exe	14
PID 2148 wrote to memory of 296	2148	dllhost.exe	15
PID 2148 wrote to memory of 664	2148	dllhost.exe	16
PID 2148 wrote to memory of 1040	2148	dllhost.exe	17
PID 2148 wrote to memory of 1128	2148	dllhost.exe	18
PID 2148 wrote to memory of 1180	2148	dllhost.exe	19
PID 2148 wrote to memory of 1244	2148	dllhost.exe	20
PID 2148 wrote to memory of 1556	2148	dllhost.exe	22
PID 2148 wrote to memory of 1788	2148	dllhost.exe	23
PID 2148 wrote to memory of 1880	2148	dllhost.exe	24
PID 2148 wrote to memory of 1940	2148	dllhost.exe	25
PID 2148 wrote to memory of 1920	2148	dllhost.exe	26
PID 2148 wrote to memory of 1656	2148	dllhost.exe	28

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5bf437a3-c02b-498d-9cd3-0a012cd190b5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1556
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1880
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:988
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1788
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1940
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1920

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe
  "C:\Users\Admin\AppData\Local\Temp\1b6501b51ea4e47cf26b377816a7e3bd67d8dad29d7b3d0654f79be6f953406e.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-14-0x0000000000410000-0x0000000000434000-memory.dmp

Filesize
144KB

Download
memory/424-167-0x0000000077611000-0x0000000077612000-memory.dmp

Filesize
4KB

Download
memory/424-17-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/424-16-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/424-175-0x0000000000860000-0x000000000088C000-memory.dmp

Filesize
176KB

Download
memory/424-15-0x0000000000860000-0x000000000088C000-memory.dmp

Filesize
176KB

Download
memory/424-12-0x0000000000410000-0x0000000000434000-memory.dmp

Filesize
144KB

Download
memory/468-169-0x00000000000A0000-0x00000000000CC000-memory.dmp

Filesize
176KB

Download
memory/468-22-0x00000000000A0000-0x00000000000CC000-memory.dmp

Filesize
176KB

Download
memory/468-24-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/468-23-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/484-30-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/484-29-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/484-28-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/484-170-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/492-43-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/492-172-0x00000000009B0000-0x00000000009DC000-memory.dmp

Filesize
176KB

Download
memory/492-41-0x00000000009B0000-0x00000000009DC000-memory.dmp

Filesize
176KB

Download
memory/492-42-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/604-173-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/604-48-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/604-49-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/604-50-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/680-40-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download
memory/680-45-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/680-46-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/680-171-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download
memory/740-54-0x0000000000860000-0x000000000088C000-memory.dmp

Filesize
176KB

Download
memory/740-176-0x000007FF404C0000-0x000007FF40580000-memory.dmp

Filesize
768KB

Download
memory/740-174-0x000007FF404C0000-0x000007FF40580000-memory.dmp

Filesize
768KB

Download
memory/808-64-0x00000000008B0000-0x00000000008DC000-memory.dmp

Filesize
176KB

Download
memory/808-65-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/808-66-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1656-166-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/1656-9-0x00000000773A1000-0x000000007743C000-memory.dmp

Filesize
620KB

Download
memory/1656-1-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/1656-2-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1656-8-0x00000000775C1000-0x00000000776C2000-memory.dmp

Filesize
1.0MB

Download
memory/1656-0-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp

Filesize
4KB

Download
memory/2148-5-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2148-6-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/2148-7-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/2148-10-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2148-3-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2148-168-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download