88c915fc9b19666779df6aa7bf4be92a7bc293ba9a00269ae1e83f2605a54f50

Analysis

max time kernel
48s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/05/2023, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO 543-35017173 - 07.58.14.509.exe
Size

980KB
MD5

8a4b25fad86c1369e690eb37b68300d0
SHA1

6c547762edae1d2e6cbb856a987b5fdf8604da6a
SHA256

88c915fc9b19666779df6aa7bf4be92a7bc293ba9a00269ae1e83f2605a54f50
SHA512

550c7e060f8564d33751a411444001e3a97ef7945881d83b8fe455bbc7768e3d1ad36db6ea5a7a43cd34103b82ed191513c3fbb5e2388ad0b43e73fd9c3d6e30
SSDEEP

24576:F9BEP88Xlp3mYUwfiEF3cBMPR8jJOg7B9:DBe8mlp9Uwqa3cBumpB9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
2024	PO 543-35017173 - 07.58.14.509.exe
1324	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	PO 543-35017173 - 07.58.14.509.exe
Token: SeDebugPrivilege	1324	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1324	2024	PO 543-35017173 - 07.58.14.509.exe	28
PID 2024 wrote to memory of 1324	2024	PO 543-35017173 - 07.58.14.509.exe	28
PID 2024 wrote to memory of 1324	2024	PO 543-35017173 - 07.58.14.509.exe	28
PID 2024 wrote to memory of 1324	2024	PO 543-35017173 - 07.58.14.509.exe	28
PID 2024 wrote to memory of 664	2024	PO 543-35017173 - 07.58.14.509.exe	30
PID 2024 wrote to memory of 664	2024	PO 543-35017173 - 07.58.14.509.exe	30
PID 2024 wrote to memory of 664	2024	PO 543-35017173 - 07.58.14.509.exe	30
PID 2024 wrote to memory of 664	2024	PO 543-35017173 - 07.58.14.509.exe	30
PID 2024 wrote to memory of 452	2024	PO 543-35017173 - 07.58.14.509.exe	32
PID 2024 wrote to memory of 452	2024	PO 543-35017173 - 07.58.14.509.exe	32
PID 2024 wrote to memory of 452	2024	PO 543-35017173 - 07.58.14.509.exe	32
PID 2024 wrote to memory of 452	2024	PO 543-35017173 - 07.58.14.509.exe	32
PID 2024 wrote to memory of 292	2024	PO 543-35017173 - 07.58.14.509.exe	33
PID 2024 wrote to memory of 292	2024	PO 543-35017173 - 07.58.14.509.exe	33
PID 2024 wrote to memory of 292	2024	PO 543-35017173 - 07.58.14.509.exe	33
PID 2024 wrote to memory of 292	2024	PO 543-35017173 - 07.58.14.509.exe	33
PID 2024 wrote to memory of 1168	2024	PO 543-35017173 - 07.58.14.509.exe	34
PID 2024 wrote to memory of 1168	2024	PO 543-35017173 - 07.58.14.509.exe	34
PID 2024 wrote to memory of 1168	2024	PO 543-35017173 - 07.58.14.509.exe	34
PID 2024 wrote to memory of 1168	2024	PO 543-35017173 - 07.58.14.509.exe	34
PID 2024 wrote to memory of 2036	2024	PO 543-35017173 - 07.58.14.509.exe	35
PID 2024 wrote to memory of 2036	2024	PO 543-35017173 - 07.58.14.509.exe	35
PID 2024 wrote to memory of 2036	2024	PO 543-35017173 - 07.58.14.509.exe	35
PID 2024 wrote to memory of 2036	2024	PO 543-35017173 - 07.58.14.509.exe	35
PID 2024 wrote to memory of 604	2024	PO 543-35017173 - 07.58.14.509.exe	36
PID 2024 wrote to memory of 604	2024	PO 543-35017173 - 07.58.14.509.exe	36
PID 2024 wrote to memory of 604	2024	PO 543-35017173 - 07.58.14.509.exe	36
PID 2024 wrote to memory of 604	2024	PO 543-35017173 - 07.58.14.509.exe	36

C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe
"C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yFwqpHQj.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yFwqpHQj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC14D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:664
- C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe"
  2⤵
  PID:452
- C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe"
  2⤵
  PID:292
- C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe"
  2⤵
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 543-35017173 - 07.58.14.509.exe"
  2⤵
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC14D.tmp

Filesize
1KB

MD5
8175045594799c2567d1bdd14c89945b

SHA1
65a6da9b91a0d550f69d11beb54020fb908d87e6

SHA256
ac9ec7b2a4267d40b7a55ef72fb9b8015f27c03b909399e0e662513a2cf7f6ea

SHA512
e121f4e7921c1ff006a534d57e1253e9c79429ac7af31ddaa34c0f155c90e21a390002344833c16a221b01d72dcfecead1223457c5645fec05f93e7aa66942b4

Download Submit
memory/1324-68-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/1324-69-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2024-54-0x00000000000A0000-0x000000000019C000-memory.dmp

Filesize
1008KB

Download
memory/2024-55-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2024-56-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2024-57-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2024-58-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2024-59-0x0000000005450000-0x0000000005506000-memory.dmp

Filesize
728KB

Download
memory/2024-65-0x0000000005F80000-0x0000000006000000-memory.dmp

Filesize
512KB

Download