408407707c5c00d8a6bab7761a296f7ddefe93e50da7746dab3bb7778631d815

Analysis

max time kernel
79s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
Size

612KB
MD5

1399a8cb59c05e00e63f5ba44446557e
SHA1

593445cc2ad091b367aedd6e4107dfb210375ff3
SHA256

5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa
SHA512

c93da49aa0e29da478d74b8b90a27ca3b11c5b50011eec1692eed0794f9ab610c9c05568052e9887e6ad944e688f0e8120fea9620f3f16695d55a37d68aff93b
SSDEEP

12288:CNj5Ay3SHAdvVPz95iez6PGD9Ai22UegR3FTthxezP9YC:C3IHWVpowX9AwUlFTthxCb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 928	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	28
PID 1744 wrote to memory of 928	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	28
PID 1744 wrote to memory of 928	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	28
PID 1744 wrote to memory of 928	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	28
PID 1744 wrote to memory of 268	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	30
PID 1744 wrote to memory of 268	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	30
PID 1744 wrote to memory of 268	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	30
PID 1744 wrote to memory of 268	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	30
PID 1744 wrote to memory of 276	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	32
PID 1744 wrote to memory of 276	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	32
PID 1744 wrote to memory of 276	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	32
PID 1744 wrote to memory of 276	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	32
PID 1744 wrote to memory of 304	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	33
PID 1744 wrote to memory of 304	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	33
PID 1744 wrote to memory of 304	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	33
PID 1744 wrote to memory of 304	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	33
PID 1744 wrote to memory of 1036	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	34
PID 1744 wrote to memory of 1036	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	34
PID 1744 wrote to memory of 1036	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	34
PID 1744 wrote to memory of 1036	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	34
PID 1744 wrote to memory of 1372	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	35
PID 1744 wrote to memory of 1372	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	35
PID 1744 wrote to memory of 1372	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	35
PID 1744 wrote to memory of 1372	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	35
PID 1744 wrote to memory of 672	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	36
PID 1744 wrote to memory of 672	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	36
PID 1744 wrote to memory of 672	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	36
PID 1744 wrote to memory of 672	1744	5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe	36

C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
"C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AxfASHxRdwrWj.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AxfASHxRdwrWj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36F9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:268
- C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
  "C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe"
  2⤵
  PID:276
- C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
  "C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe"
  2⤵
  PID:304
- C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
  "C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe"
  2⤵
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
  "C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe"
  2⤵
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe
  "C:\Users\Admin\AppData\Local\Temp\5a224ab3b182f13b491469c57c336848721fd9b3205c7b7905b1d05e5d99aefa.exe"
  2⤵
  PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp36F9.tmp

Filesize
1KB

MD5
5f884481763fd25c89083fc3e7f5e35f

SHA1
884e3ee0396b568d50dadcc21a45f2df3e9aecb3

SHA256
67232dec09fc637488caf01ef21f935bdf02b4278b4abb7130377b0b3939886c

SHA512
ed031f2f796aa5e3d1505ec1f373ede7dc872fe8ab3be4c8f35b9d7743fca974362e9bf2e57907c4910085934fa7ed85f4840ef159b8e00e4290590855fe1041

Download Submit
memory/928-68-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/928-69-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/1744-54-0x00000000003F0000-0x000000000048E000-memory.dmp

Filesize
632KB

Download
memory/1744-55-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/1744-56-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1744-57-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/1744-58-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1744-59-0x0000000006000000-0x0000000006076000-memory.dmp

Filesize
472KB

Download
memory/1744-67-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download