12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad

Analysis

max time kernel
49s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/05/2023, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe
Size

2.1MB
MD5

0d009ea0386e4668e4fe910f13092bf4
SHA1

21582aff48121712b63b0ab6a962edfe6ba023ea
SHA256

12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad
SHA512

7d35c4e4d36fcb03af1cba9d71bf400b39aeff631a3ffc9b15072aecf303a90ca1cd147825f8d26f3bcc877766d2c97bf3c27b63d542c08903fccfc06198e9f3
SSDEEP

24576:hFxTc+ThGLe8rLdqRHetdCeZTyVJNBqCgV2AGqaliurb0+sWydomQ73yJyttg+e1:Q5r0R6dJZ3P4zvrMDoUKHePwJNtI

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	powershell.exe
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2036	12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1624	2036	12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe	28
PID 2036 wrote to memory of 1624	2036	12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe	28
PID 2036 wrote to memory of 1624	2036	12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe	28
PID 432 wrote to memory of 1732	432	taskeng.exe	33
PID 432 wrote to memory of 1732	432	taskeng.exe	33
PID 432 wrote to memory of 1732	432	taskeng.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe
"C:\Users\Admin\AppData\Local\Temp\12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624

C:\Windows\system32\taskeng.exe
taskeng.exe {342B36C5-36B6-4C18-AAA5-30C63E1E1058} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5bdbd6e3f388bd1aa1172c75cbaff9b

SHA1
d5730e1c7a3e8f3a1e4d2e6fac30bf1d9698975a

SHA256
1f2ef8483e6869c6d8d8328e33e8d2f9012870adcfdc770164ddcde67a0b29c9

SHA512
f1041fa69437a392d08621261473f6a63923701e824acf00196cd9fcf8dac6c22ea323279cd0b9828de8dbc82fbca1e1bf2399f24bc74adea3bbb51ed4db320d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQRR1Z94V6GX2WCTMJDY.temp

Filesize
7KB

MD5
f5bdbd6e3f388bd1aa1172c75cbaff9b

SHA1
d5730e1c7a3e8f3a1e4d2e6fac30bf1d9698975a

SHA256
1f2ef8483e6869c6d8d8328e33e8d2f9012870adcfdc770164ddcde67a0b29c9

SHA512
f1041fa69437a392d08621261473f6a63923701e824acf00196cd9fcf8dac6c22ea323279cd0b9828de8dbc82fbca1e1bf2399f24bc74adea3bbb51ed4db320d

Download Submit
memory/1624-64-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1624-65-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1624-66-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1624-67-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1624-63-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/1624-71-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1624-70-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1624-69-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1732-2426-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/1732-2423-0x0000000019C60000-0x0000000019F42000-memory.dmp

Filesize
2.9MB

Download
memory/1732-2424-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/1732-2425-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/1732-2427-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/2036-104-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-120-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-75-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-77-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-79-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-81-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-84-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-83-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2036-85-0x000000001C190000-0x000000001C235000-memory.dmp

Filesize
660KB

Download
memory/2036-87-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-89-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-88-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-91-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-92-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-94-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-96-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-98-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-100-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-102-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-73-0x000000001C2E0000-0x000000001C3D6000-memory.dmp

Filesize
984KB

Download
memory/2036-106-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-108-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-110-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-112-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-114-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-116-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-118-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-74-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-122-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-124-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-126-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-128-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-130-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-132-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-134-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-136-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-138-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-140-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-142-0x000000001C2E0000-0x000000001C3D0000-memory.dmp

Filesize
960KB

Download
memory/2036-2409-0x000000001B300000-0x000000001B356000-memory.dmp

Filesize
344KB

Download
memory/2036-2410-0x000000001B760000-0x000000001B7AC000-memory.dmp

Filesize
304KB

Download
memory/2036-2411-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-2413-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-2412-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-2414-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-2415-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-2416-0x000000001C0A0000-0x000000001C0F4000-memory.dmp

Filesize
336KB

Download
memory/2036-72-0x000000001C240000-0x000000001C2E2000-memory.dmp

Filesize
648KB

Download
memory/2036-68-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-58-0x000000001C110000-0x000000001C190000-memory.dmp

Filesize
512KB

Download
memory/2036-57-0x0000000000D90000-0x0000000000E22000-memory.dmp

Filesize
584KB

Download
memory/2036-56-0x0000000000940000-0x00000000009E8000-memory.dmp

Filesize
672KB

Download
memory/2036-55-0x00000000010F0000-0x0000000001278000-memory.dmp

Filesize
1.5MB

Download
memory/2036-54-0x00000000012A0000-0x00000000014BE000-memory.dmp

Filesize
2.1MB

Download