75084813c3a29787a8329b1dfba9c1865034cae773ead12faed935b9b1e7175f

Analysis

max time kernel
62s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new project product.exe
Size

803KB
MD5

4c9d147c42519b53bc1bf6fe9b4233b9
SHA1

909c51f7b3bddb96853fce1795eaffd036deedbd
SHA256

75084813c3a29787a8329b1dfba9c1865034cae773ead12faed935b9b1e7175f
SHA512

4212f4f5c00e16cf146fae6cc52cb969f5d450b16d09c968c2336efb217ef1c21b50011017e47c8750103a9a7b398860b3bcf50d2270414e603f43cf69eb983e
SSDEEP

24576:t1U9BqmycgiH75BWp0kNqdMZ4kS5RIPfYF/sKW:tu9Bqmycr7Wp0k8dMZ4kSP0fYF/w

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1324	new project product.exe
1100	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	new project product.exe
Token: SeDebugPrivilege	1100	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1100	1324	new project product.exe	28
PID 1324 wrote to memory of 1100	1324	new project product.exe	28
PID 1324 wrote to memory of 1100	1324	new project product.exe	28
PID 1324 wrote to memory of 1100	1324	new project product.exe	28
PID 1324 wrote to memory of 672	1324	new project product.exe	30
PID 1324 wrote to memory of 672	1324	new project product.exe	30
PID 1324 wrote to memory of 672	1324	new project product.exe	30
PID 1324 wrote to memory of 672	1324	new project product.exe	30
PID 1324 wrote to memory of 336	1324	new project product.exe	32
PID 1324 wrote to memory of 336	1324	new project product.exe	32
PID 1324 wrote to memory of 336	1324	new project product.exe	32
PID 1324 wrote to memory of 336	1324	new project product.exe	32
PID 1324 wrote to memory of 1972	1324	new project product.exe	33
PID 1324 wrote to memory of 1972	1324	new project product.exe	33
PID 1324 wrote to memory of 1972	1324	new project product.exe	33
PID 1324 wrote to memory of 1972	1324	new project product.exe	33
PID 1324 wrote to memory of 1256	1324	new project product.exe	34
PID 1324 wrote to memory of 1256	1324	new project product.exe	34
PID 1324 wrote to memory of 1256	1324	new project product.exe	34
PID 1324 wrote to memory of 1256	1324	new project product.exe	34
PID 1324 wrote to memory of 1552	1324	new project product.exe	35
PID 1324 wrote to memory of 1552	1324	new project product.exe	35
PID 1324 wrote to memory of 1552	1324	new project product.exe	35
PID 1324 wrote to memory of 1552	1324	new project product.exe	35
PID 1324 wrote to memory of 1328	1324	new project product.exe	36
PID 1324 wrote to memory of 1328	1324	new project product.exe	36
PID 1324 wrote to memory of 1328	1324	new project product.exe	36
PID 1324 wrote to memory of 1328	1324	new project product.exe	36

C:\Users\Admin\AppData\Local\Temp\new project product.exe
"C:\Users\Admin\AppData\Local\Temp\new project product.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QcDpjTBHNmJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QcDpjTBHNmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBBE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:672
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  PID:336
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFBBE.tmp

Filesize
1KB

MD5
e58d6e9a171725ce1298f7c52f04590e

SHA1
1b9aaadfbf4aea88fc6c4b93ded2fae36cb9a124

SHA256
7cb533b31789b7b50a3d2b4b3807356870cac54027cb37c772044b85f486caf7

SHA512
134b7d1b6121ade1517f3fc40d6ea196bd02dc0fcf44db584788106c30cbea87dcdec89e22a3567f76a54f3aef5b189d69b901627d8eeaef38b2b624e3e39514

Download Submit
memory/1100-68-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/1100-69-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/1100-70-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/1324-54-0x00000000003E0000-0x00000000004B0000-memory.dmp

Filesize
832KB

Download
memory/1324-55-0x0000000001F80000-0x0000000001FC0000-memory.dmp

Filesize
256KB

Download
memory/1324-56-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1324-57-0x0000000001F80000-0x0000000001FC0000-memory.dmp

Filesize
256KB

Download
memory/1324-58-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1324-59-0x00000000053D0000-0x000000000543C000-memory.dmp

Filesize
432KB

Download
memory/1324-67-0x00000000044A0000-0x00000000044D4000-memory.dmp

Filesize
208KB

Download