667cb510540d8e7a6cd30007d30a8ca11110dde57bd03d2cbf87ca6b7868bdb9

Analysis

max time kernel
86s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe
Size

13.6MB
MD5

a8df11e04a5378d02af94ac361a89dec
SHA1

000fe04f1a2c25029fbea090936694dfaf44ad3d
SHA256

ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3
SHA512

44f8dcfc741b19283db37d628658ed0f5942fed6cb35b0aae7c0e651349421200d2d53542ee38dee9f94cde03c96f3150d2886d9c1edc727a8f335fdcb085cf7
SSDEEP

12288:nssssDsssssssssssssssssssssssssssssssssssssbsssssssssssssssssssP:7

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe

Executes dropped EXE 3 IoCs

pid	Process
2668	svchost.exe
2860	TempWorm.exe.exe
1268	TempWorm.exe.exe

Loads dropped DLL 3 IoCs

pid	Process
2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe
2600	dw20.exe
2876	dw20.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\98e70a2affbae7efdca689e718feee82 = "C:\\ProgramData\\Microsoft\\svchost.exe"	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\98e70a2affbae7efdca689e718feee82 = "C:\\ProgramData\\Microsoft\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\98e70a2affbae7efdca689e718feee82 = "C:\\ProgramData\\Microsoft\\svchost.exe"	TempWorm.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\98e70a2affbae7efdca689e718feee82 = "C:\\ProgramData\\Microsoft\\svchost.exe"	TempWorm.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempWorm.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempWorm.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2332	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2332	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	31
PID 2000 wrote to memory of 2332	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	31
PID 2000 wrote to memory of 2332	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	31
PID 2000 wrote to memory of 2332	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	31
PID 2000 wrote to memory of 2668	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	33
PID 2000 wrote to memory of 2668	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	33
PID 2000 wrote to memory of 2668	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	33
PID 2000 wrote to memory of 2668	2000	ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe	33
PID 2668 wrote to memory of 2780	2668	svchost.exe	34
PID 2668 wrote to memory of 2780	2668	svchost.exe	34
PID 2668 wrote to memory of 2780	2668	svchost.exe	34
PID 2668 wrote to memory of 2780	2668	svchost.exe	34
PID 3004 wrote to memory of 2860	3004	taskeng.exe	37
PID 3004 wrote to memory of 2860	3004	taskeng.exe	37
PID 3004 wrote to memory of 2860	3004	taskeng.exe	37
PID 3004 wrote to memory of 2860	3004	taskeng.exe	37
PID 2860 wrote to memory of 2600	2860	TempWorm.exe.exe	38
PID 2860 wrote to memory of 2600	2860	TempWorm.exe.exe	38
PID 2860 wrote to memory of 2600	2860	TempWorm.exe.exe	38
PID 2860 wrote to memory of 2600	2860	TempWorm.exe.exe	38
PID 3004 wrote to memory of 1268	3004	taskeng.exe	39
PID 3004 wrote to memory of 1268	3004	taskeng.exe	39
PID 3004 wrote to memory of 1268	3004	taskeng.exe	39
PID 3004 wrote to memory of 1268	3004	taskeng.exe	39
PID 1268 wrote to memory of 2876	1268	TempWorm.exe.exe	40
PID 1268 wrote to memory of 2876	1268	TempWorm.exe.exe	40
PID 1268 wrote to memory of 2876	1268	TempWorm.exe.exe	40
PID 1268 wrote to memory of 2876	1268	TempWorm.exe.exe	40

C:\Users\Admin\AppData\Local\Temp\ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe
"C:\Users\Admin\AppData\Local\Temp\ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn server /tr C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2332
- C:\ProgramData\Microsoft\svchost.exe
  "C:\ProgramData\Microsoft\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn server /tr C:\Users\Admin\AppData\Local\TempWorm.exe.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2780

C:\Windows\system32\taskeng.exe
taskeng.exe {35ACD136-042B-42E1-A5BE-374355A3F307} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 516
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 512
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  C:\Users\Admin\AppData\Local\TempWorm.exe.exe
  2⤵
  PID:1076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 512
    3⤵
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\svchost.exe

Filesize
13.6MB

MD5
a8df11e04a5378d02af94ac361a89dec

SHA1
000fe04f1a2c25029fbea090936694dfaf44ad3d

SHA256
ee5fd05cf5c85b15681d9d29faed9891e4fb86815f92bb3a816e2c7c191bbcc3

SHA512
44f8dcfc741b19283db37d628658ed0f5942fed6cb35b0aae7c0e651349421200d2d53542ee38dee9f94cde03c96f3150d2886d9c1edc727a8f335fdcb085cf7

Download Submit
C:\Users\Admin\AppData\Local\TempWorm.exe.exe

Filesize
27.2MB

MD5
033e360ce118a4bdb0b816f7c68de8cf

SHA1
286a289a4e92105656ee1fcccac5e0814c0d24bc

SHA256
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae

SHA512
786f1898f09d6eb643ddd04922ebf7f0e432cbd7cbe428325eeea1553a3f8f8fe29c8fa1223f8323f4dd84fa0d7d923fd496d892b918475c10eb915928f6ae70

Download Submit
C:\Users\Admin\AppData\Local\TempWorm.exe.exe

Filesize
24.4MB

MD5
3e0b16e6f99709e22bc09e32aa117ec4

SHA1
3bf75db6358440fa370c854add43326cf7f9aa2f

SHA256
4d4b9551476633472f60dc2690409521c470888d73a20f86017305935ce89af0

SHA512
27cb7a6f0e5438f2a3abaa7ab9a061701b621519122eb0426675604c4b7e511e36e23d4ccb15b11f0622e539f1847fe7f8c3bcf137c479e51df9e9dd65e1e7cf

Download Submit
C:\Users\Admin\AppData\Local\TempWorm.exe.exe

Filesize
14.3MB

MD5
0787dde04a8615ec0d96383064f9cced

SHA1
9021dfa7af2646a2670bb0d81c98ab38c1a56dfa

SHA256
59979c41eb11cb300afe54c2d4ac2d6de9a7a21c7d2bd72451f6ebd5a6530885

SHA512
c85e521885a387115d65ab55e8cae7ea8ba0fb6fe9df33f67b8b191db6997e0cb5f46a878a35b6de00ee603ae40c062baee649d839c7ca8516097df32a111a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlackData.dat

Filesize
2B

MD5
bafd7322c6e97d25b6299b5d6fe8920b

SHA1
816c52fd2bdd94a63cd0944823a6c0aa9384c103

SHA256
1ea442a134b2a184bd5d40104401f2a37fbc09ccf3f4bc9da161c6099be3691d

SHA512
a145800e53a326d880f4b513436e54a0ab41efc8fdd4f038c0edae948e5ae08d2a7077d5bb648415078dda2571fe92c4d6fa2130a80f53d9dd329e7040729e81

Download Submit
\Users\Admin\AppData\Local\TempWorm.exe.exe

Filesize
26.0MB

MD5
9c1b54fd225ae29e5ffbc993c65506fd

SHA1
f030169eaad14e4fc4ae7c49723aafa76fcc4468

SHA256
9fea7077520490f31cda4acbc9af10c5fea4307d3fe061b488e1055173339494

SHA512
36d624c4fa60fa0e7d1e64b0414f1ea0cdb584cf44bda8750ac52aa60a41ce0ab4dcc38cf420b35b4060c7e14a19b8729c86f6bd745841f8e0d4e2915a328a7a

Download Submit
\Users\Admin\AppData\Local\TempWorm.exe.exe

Filesize
16.1MB

MD5
c2f1b4f9e93150e08380bb8b6ea720f9

SHA1
7b8d0282232ba4275772ad9241726902cf0f0a1a

SHA256
41e7f96654f9a112cc7587f4408d3159f4aa18eeb24ab69060dc59eab2f7d791

SHA512
af116c22584c44aea27be9b3b9f85e5936dbe217145e60cf9a2abd82938484ae0bb2eb915684f230f4ee4a0deddd82aac45abf7be8d333995ea760504dd1222c

Download Submit
memory/2000-12-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-6-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-23-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-22-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-27-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-21-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download