abff8ad79e497aeb5787012b0b0b718324e98bff7e703071c9fe75d6e534b6d6

Resubmissions

27-11-2024 13:27

241127-qqdkmsvnhz 10

27-11-2024 09:28

241127-lfrx3atrgr 10

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
Size

6.6MB
MD5

466b6ffd9a2098925c8727c60099626f
SHA1

9b1bef96aa713e21b0946506e2fcb6cede4bfc0b
SHA256

f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768
SHA512

005b6feed62de8a274ba5f2ef7904a0263e513dee18995a04cc4b5fbb746bc094bfd06f56f4aa8ef5e89793bc958a37d1bdb0c57327dae437f1ecb36b4534307
SSDEEP

196608:wjB8ZML/cWcIjvuK7qtigyegsZPc+3ZGe74rb8cWEDc:wjB8Z6cOv17qisRXcPWE4

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
576	secrehosted.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\parameters.ini	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
File created	C:\Windows\secrehosted.exe	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
File opened for modification	C:\Windows\parameters.ini	secrehosted.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2904	sc.exe
2784	sc.exe
2680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secrehosted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe
576	secrehosted.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	secrehosted.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
576	secrehosted.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2716	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	30
PID 2668 wrote to memory of 2716	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	30
PID 2668 wrote to memory of 2716	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	30
PID 2668 wrote to memory of 2716	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	30
PID 2716 wrote to memory of 2796	2716	cmd.exe	32
PID 2716 wrote to memory of 2796	2716	cmd.exe	32
PID 2716 wrote to memory of 2796	2716	cmd.exe	32
PID 2716 wrote to memory of 2796	2716	cmd.exe	32
PID 2796 wrote to memory of 2764	2796	net.exe	33
PID 2796 wrote to memory of 2764	2796	net.exe	33
PID 2796 wrote to memory of 2764	2796	net.exe	33
PID 2796 wrote to memory of 2764	2796	net.exe	33
PID 2668 wrote to memory of 2676	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	34
PID 2668 wrote to memory of 2676	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	34
PID 2668 wrote to memory of 2676	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	34
PID 2668 wrote to memory of 2676	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	34
PID 2676 wrote to memory of 2904	2676	cmd.exe	36
PID 2676 wrote to memory of 2904	2676	cmd.exe	36
PID 2676 wrote to memory of 2904	2676	cmd.exe	36
PID 2676 wrote to memory of 2904	2676	cmd.exe	36
PID 2668 wrote to memory of 1652	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	37
PID 2668 wrote to memory of 1652	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	37
PID 2668 wrote to memory of 1652	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	37
PID 2668 wrote to memory of 1652	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	37
PID 1652 wrote to memory of 2784	1652	cmd.exe	39
PID 1652 wrote to memory of 2784	1652	cmd.exe	39
PID 1652 wrote to memory of 2784	1652	cmd.exe	39
PID 1652 wrote to memory of 2784	1652	cmd.exe	39
PID 2668 wrote to memory of 2588	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	40
PID 2668 wrote to memory of 2588	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	40
PID 2668 wrote to memory of 2588	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	40
PID 2668 wrote to memory of 2588	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	40
PID 2588 wrote to memory of 2680	2588	cmd.exe	42
PID 2588 wrote to memory of 2680	2588	cmd.exe	42
PID 2588 wrote to memory of 2680	2588	cmd.exe	42
PID 2588 wrote to memory of 2680	2588	cmd.exe	42
PID 2668 wrote to memory of 2816	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	43
PID 2668 wrote to memory of 2816	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	43
PID 2668 wrote to memory of 2816	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	43
PID 2668 wrote to memory of 2816	2668	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	43
PID 2816 wrote to memory of 2572	2816	cmd.exe	45
PID 2816 wrote to memory of 2572	2816	cmd.exe	45
PID 2816 wrote to memory of 2572	2816	cmd.exe	45
PID 2816 wrote to memory of 2572	2816	cmd.exe	45
PID 2572 wrote to memory of 1924	2572	net.exe	46
PID 2572 wrote to memory of 1924	2572	net.exe	46
PID 2572 wrote to memory of 1924	2572	net.exe	46
PID 2572 wrote to memory of 1924	2572	net.exe	46

C:\Users\Admin\AppData\Local\Temp\f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
"C:\Users\Admin\AppData\Local\Temp\f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C net stop CompxtsService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\net.exe
    net stop CompxtsService
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CompxtsService
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Sc delete CompxtsService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\sc.exe
    Sc delete CompxtsService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Sc create CompxtsService binpath= C:\Windows\secrehosted.exe start= auto DisplayName= DrveService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\sc.exe
    Sc create CompxtsService binpath= C:\Windows\secrehosted.exe start= auto DisplayName= DrveService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc description CompxtsService ServiceManagerForDrivers
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\sc.exe
    sc description CompxtsService ServiceManagerForDrivers
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C net start CompxtsService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\net.exe
    net start CompxtsService
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start CompxtsService
      4⤵
      System Location Discovery: System Language Discovery
      PID:1924

C:\Windows\secrehosted.exe
C:\Windows\secrehosted.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\parameters.ini

Filesize
220B

MD5
80e46e47466d7b829d70df82858072cc

SHA1
f48a69048de7184e200cc7023aed44234bdb6c8f

SHA256
fc8636f6c23d345622992fa37650e24efef646987fef2150e42391c03d061589

SHA512
7d9ec20fcfdce3f57cc4535192de96a0dd546c81b380d5aa7e5bac1d91f199168d94384e7b1f3adb06ee33dfe999a7d8eea09c7f6966ea0cac80935fb244e914

Download Submit
C:\Windows\parameters.ini

Filesize
266B

MD5
4b7747473dda99b841582267d3ccc82f

SHA1
0da919fda8dadd8c9e99528013597c17dfc8c10f

SHA256
893a2c40352e5b3b690d7f90924760a890999046c542669b5d769b802c9e4f0e

SHA512
5f49914f0f4e73db6d78d48dca6dcb1d0516fc0ca7ecd9f4772839b7020f219da90b59cc707dfb286a489afabf88adb7bc85579d318b24992ed86d33cfa04a85

Download Submit
C:\Windows\secrehosted.exe

Filesize
6.7MB

MD5
c1b7d5a866e2c21c7bc6222328638cfc

SHA1
3c09adc17b23ec529951d467481afd495d227cdc

SHA256
0cedeb6633fdc8079cde76d2cc72bf98f0496c0dd644a7f215e59014b3dc5f4b

SHA512
7e47ea282cb82f003c92565ff9dc9d1cfcdbeeecd8668565eaecd4ef99e609083b3a0192bf01e8e13b467b53e266157cb61cc13c77f1ad169cec1cd141a28814

Download Submit
\Users\Admin\AppData\Local\Temp\nst5CA2.tmp\nsExec.dll

Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nst5CA2.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/576-44-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/576-54-0x0000000001890000-0x0000000001891000-memory.dmp

Filesize
4KB

Download
memory/576-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/576-39-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/576-42-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/576-30-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/576-47-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download
memory/576-49-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download
memory/576-52-0x0000000001890000-0x0000000001891000-memory.dmp

Filesize
4KB

Download
memory/576-35-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/576-57-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/576-59-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/576-62-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/576-60-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/576-64-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/576-65-0x0000000000400000-0x000000000137A000-memory.dmp

Filesize
15.5MB

Download
memory/576-32-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/576-34-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download