abff8ad79e497aeb5787012b0b0b718324e98bff7e703071c9fe75d6e534b6d6

Resubmissions

27-11-2024 13:27

241127-qqdkmsvnhz 10

27-11-2024 09:28

241127-lfrx3atrgr 10

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
Size

6.6MB
MD5

466b6ffd9a2098925c8727c60099626f
SHA1

9b1bef96aa713e21b0946506e2fcb6cede4bfc0b
SHA256

f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768
SHA512

005b6feed62de8a274ba5f2ef7904a0263e513dee18995a04cc4b5fbb746bc094bfd06f56f4aa8ef5e89793bc958a37d1bdb0c57327dae437f1ecb36b4534307
SSDEEP

196608:wjB8ZML/cWcIjvuK7qtigyegsZPc+3ZGe74rb8cWEDc:wjB8Z6cOv17qisRXcPWE4

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2700	secrehosted.exe

Loads dropped DLL 6 IoCs

pid	Process
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\parameters.ini	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
File created	C:\Windows\secrehosted.exe	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
File opened for modification	C:\Windows\parameters.ini	secrehosted.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2732	sc.exe
2252	sc.exe
2796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secrehosted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe
2700	secrehosted.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	secrehosted.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	secrehosted.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2508	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	31
PID 2560 wrote to memory of 2508	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	31
PID 2560 wrote to memory of 2508	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	31
PID 2560 wrote to memory of 2508	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	31
PID 2508 wrote to memory of 2300	2508	cmd.exe	33
PID 2508 wrote to memory of 2300	2508	cmd.exe	33
PID 2508 wrote to memory of 2300	2508	cmd.exe	33
PID 2508 wrote to memory of 2300	2508	cmd.exe	33
PID 2300 wrote to memory of 2772	2300	net.exe	34
PID 2300 wrote to memory of 2772	2300	net.exe	34
PID 2300 wrote to memory of 2772	2300	net.exe	34
PID 2300 wrote to memory of 2772	2300	net.exe	34
PID 2560 wrote to memory of 2284	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	35
PID 2560 wrote to memory of 2284	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	35
PID 2560 wrote to memory of 2284	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	35
PID 2560 wrote to memory of 2284	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	35
PID 2284 wrote to memory of 2732	2284	cmd.exe	37
PID 2284 wrote to memory of 2732	2284	cmd.exe	37
PID 2284 wrote to memory of 2732	2284	cmd.exe	37
PID 2284 wrote to memory of 2732	2284	cmd.exe	37
PID 2560 wrote to memory of 2872	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	38
PID 2560 wrote to memory of 2872	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	38
PID 2560 wrote to memory of 2872	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	38
PID 2560 wrote to memory of 2872	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	38
PID 2872 wrote to memory of 2252	2872	cmd.exe	40
PID 2872 wrote to memory of 2252	2872	cmd.exe	40
PID 2872 wrote to memory of 2252	2872	cmd.exe	40
PID 2872 wrote to memory of 2252	2872	cmd.exe	40
PID 2560 wrote to memory of 2444	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	41
PID 2560 wrote to memory of 2444	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	41
PID 2560 wrote to memory of 2444	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	41
PID 2560 wrote to memory of 2444	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	41
PID 2444 wrote to memory of 2796	2444	cmd.exe	43
PID 2444 wrote to memory of 2796	2444	cmd.exe	43
PID 2444 wrote to memory of 2796	2444	cmd.exe	43
PID 2444 wrote to memory of 2796	2444	cmd.exe	43
PID 2560 wrote to memory of 2948	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	44
PID 2560 wrote to memory of 2948	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	44
PID 2560 wrote to memory of 2948	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	44
PID 2560 wrote to memory of 2948	2560	f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe	44
PID 2948 wrote to memory of 948	2948	cmd.exe	46
PID 2948 wrote to memory of 948	2948	cmd.exe	46
PID 2948 wrote to memory of 948	2948	cmd.exe	46
PID 2948 wrote to memory of 948	2948	cmd.exe	46
PID 948 wrote to memory of 2752	948	net.exe	47
PID 948 wrote to memory of 2752	948	net.exe	47
PID 948 wrote to memory of 2752	948	net.exe	47
PID 948 wrote to memory of 2752	948	net.exe	47

C:\Users\Admin\AppData\Local\Temp\f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
"C:\Users\Admin\AppData\Local\Temp\f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C net stop CompxtsService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\net.exe
    net stop CompxtsService
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CompxtsService
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Sc delete CompxtsService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\sc.exe
    Sc delete CompxtsService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Sc create CompxtsService binpath= C:\Windows\secrehosted.exe start= auto DisplayName= DrveService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\sc.exe
    Sc create CompxtsService binpath= C:\Windows\secrehosted.exe start= auto DisplayName= DrveService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc description CompxtsService ServiceManagerForDrivers
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\sc.exe
    sc description CompxtsService ServiceManagerForDrivers
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C net start CompxtsService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\net.exe
    net start CompxtsService
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start CompxtsService
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752

C:\Windows\secrehosted.exe
C:\Windows\secrehosted.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\parameters.ini

Filesize
220B

MD5
80e46e47466d7b829d70df82858072cc

SHA1
f48a69048de7184e200cc7023aed44234bdb6c8f

SHA256
fc8636f6c23d345622992fa37650e24efef646987fef2150e42391c03d061589

SHA512
7d9ec20fcfdce3f57cc4535192de96a0dd546c81b380d5aa7e5bac1d91f199168d94384e7b1f3adb06ee33dfe999a7d8eea09c7f6966ea0cac80935fb244e914

Download Submit
C:\Windows\parameters.ini

Filesize
266B

MD5
9dae79c2b9d82eb03859e4cce444c57e

SHA1
41b3b3e136f7b16f249d335b0318033349671e66

SHA256
ab86113bd0b5ec2ff282cd5d7ed04b300ec39e36618574fa8cf1bd3bb9b7b2d0

SHA512
02315b03473e7c410c5684fd427ff5e3f48257bcc1d02a8fc2d2bc8f5fca56d82bb31a9fda13a705c6ca0bc34a29d01aa3cbbdd3fca7033aed75344a409df77f

Download Submit
C:\Windows\secrehosted.exe

Filesize
6.7MB

MD5
c1b7d5a866e2c21c7bc6222328638cfc

SHA1
3c09adc17b23ec529951d467481afd495d227cdc

SHA256
0cedeb6633fdc8079cde76d2cc72bf98f0496c0dd644a7f215e59014b3dc5f4b

SHA512
7e47ea282cb82f003c92565ff9dc9d1cfcdbeeecd8668565eaecd4ef99e609083b3a0192bf01e8e13b467b53e266157cb61cc13c77f1ad169cec1cd141a28814

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD4EC.tmp\nsExec.dll

Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD4EC.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/2700-44-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2700-54-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/2700-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2700-39-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2700-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2700-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2700-47-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/2700-49-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/2700-52-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/2700-35-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2700-57-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/2700-59-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/2700-60-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/2700-62-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/2700-64-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/2700-65-0x0000000000400000-0x000000000137A000-memory.dmp

Filesize
15.5MB

Download
memory/2700-34-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2700-32-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download