e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

Resubmissions

09-11-2022 04:21

221109-eyxgyafdcn 1

09-11-2022 04:08

221109-ep773sfcem 1

09-11-2022 03:58

221109-ejt39sdeg9 10

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-11-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe
Size

1.8MB
MD5

c233f8e5f9b0441782280bb49b98f415
SHA1

ddd3476e9d61fc2d707354da50b490dea8f37721
SHA256

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4
SHA512

f5404661a5349fb33e18eb632b12a6df3b7e735346bec08ee6a848375c9d6d71bd846c472bf19eccb34aa407bf16a0e214ca4ebe58f1460d4b10cf4c6fdc153c
SSDEEP

49152:j0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4ongXG/jpC3Ohz1:/349m

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1956 powershell.exe
1956 powershell.exe
1956 powershell.exe
1620 powershell.exe
1868 powershell.exe
1868 powershell.exe
1868 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1956 powershell.exe
Token: SeDebugPrivilege 1620 powershell.exe
Token: SeDebugPrivilege 1868 powershell.exe

pid	process
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
1620	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exepowershell.execmd.exepowershell.exe

description	pid	process	target process
PID 1636 wrote to memory of 1956	1636	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 1636 wrote to memory of 1956	1636	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 1636 wrote to memory of 1956	1636	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 1956 wrote to memory of 900	1956	powershell.exe	cmd.exe
PID 1956 wrote to memory of 900	1956	powershell.exe	cmd.exe
PID 1956 wrote to memory of 900	1956	powershell.exe	cmd.exe
PID 900 wrote to memory of 1620	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1620	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1620	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1692	900	cmd.exe	fsutil.exe
PID 900 wrote to memory of 1692	900	cmd.exe	fsutil.exe
PID 900 wrote to memory of 1692	900	cmd.exe	fsutil.exe
PID 1636 wrote to memory of 1868	1636	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 1636 wrote to memory of 1868	1636	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 1636 wrote to memory of 1868	1636	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 1868 wrote to memory of 560	1868	powershell.exe	cmd.exe
PID 1868 wrote to memory of 560	1868	powershell.exe	cmd.exe
PID 1868 wrote to memory of 560	1868	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe
"C:\Users\Admin\AppData\Local\Temp\e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
3⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath 'C:\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\fsutil.exe
fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
4⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Start-Process cmd \"/k start %AppData%\ihwvffsmicqynaxuenpaisstlohgxade.exe\" -WindowStyle hidden"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k start %AppData%\ihwvffsmicqynaxuenpaisstlohgxade.exe
3⤵
PID:560

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ed67a723bbbde8c0dac226d2ab2ab7fd

SHA1
83a72ff3c5b8c52f6d6ef9610ffe61a36da97340

SHA256
0e314e8108ec4425ba16d74db42266a7596f1e93009ff74eaa0f9fbc45daad5a

SHA512
ff4f64c3eea1493162efd74df45fd53700ac6068db9d0e03cc6d55ee2676f572e33a30659078226512f00149a3c76457e8888b89292062a20d823a36003bda0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ed67a723bbbde8c0dac226d2ab2ab7fd

SHA1
83a72ff3c5b8c52f6d6ef9610ffe61a36da97340

SHA256
0e314e8108ec4425ba16d74db42266a7596f1e93009ff74eaa0f9fbc45daad5a

SHA512
ff4f64c3eea1493162efd74df45fd53700ac6068db9d0e03cc6d55ee2676f572e33a30659078226512f00149a3c76457e8888b89292062a20d823a36003bda0e

Download Submit
memory/560-80-0x0000000000000000-mapping.dmp

Download
memory/900-60-0x0000000000000000-mapping.dmp

Download
memory/1620-67-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmp

Filesize
11.4MB

Download
memory/1620-68-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/1620-71-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/1620-70-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/1620-63-0x0000000000000000-mapping.dmp

Download
memory/1620-69-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1620-66-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1692-72-0x0000000000000000-mapping.dmp

Download
memory/1868-76-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/1868-73-0x0000000000000000-mapping.dmp

Download
memory/1868-77-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/1868-78-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1868-79-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/1956-54-0x0000000000000000-mapping.dmp

Download
memory/1956-58-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1956-62-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1956-61-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1956-57-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/1956-56-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/1956-59-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1956-55-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download