09f0823d593febe6989e64999c4ea5e92c78a57d44af084812628562f3d8d375

Analysis

max time kernel
74s
max time network
81s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-09-2023 13:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

i7.exe
Size

15KB
MD5

4afcab972e98ecbf855f915b2739f508
SHA1

615dc2fa827fab39e16a7e9721f484e7f4d34f8e
SHA256

7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
SHA512

58258f74d7e35c5a83234a98bc033846be5a65146bd992e738a8678706a18c30759bd405fbb30a296181e2f92acb0219df8979030cc45d1cdec6ac06e8bc00d5
SSDEEP

384:Gpsx5cnV21mSHhV8b+lee84SzFnYPLr7aq:GpscnfS/8KUe8jC7aq

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2676	powershell.exe
2604	powershell.exe
2704	powershell.exe
2576	powershell.exe
2060	powershell.exe
1620	powershell.exe
2416	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeShutdownPrivilege	2096	shutdown.exe
Token: SeRemoteShutdownPrivilege	2096	shutdown.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeShutdownPrivilege	860	shutdown.exe
Token: SeRemoteShutdownPrivilege	860	shutdown.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2676	2732	i7.exe	29
PID 2732 wrote to memory of 2676	2732	i7.exe	29
PID 2732 wrote to memory of 2676	2732	i7.exe	29
PID 2732 wrote to memory of 2676	2732	i7.exe	29
PID 2732 wrote to memory of 2604	2732	i7.exe	31
PID 2732 wrote to memory of 2604	2732	i7.exe	31
PID 2732 wrote to memory of 2604	2732	i7.exe	31
PID 2732 wrote to memory of 2604	2732	i7.exe	31
PID 2732 wrote to memory of 2576	2732	i7.exe	33
PID 2732 wrote to memory of 2576	2732	i7.exe	33
PID 2732 wrote to memory of 2576	2732	i7.exe	33
PID 2732 wrote to memory of 2576	2732	i7.exe	33
PID 2732 wrote to memory of 2704	2732	i7.exe	34
PID 2732 wrote to memory of 2704	2732	i7.exe	34
PID 2732 wrote to memory of 2704	2732	i7.exe	34
PID 2732 wrote to memory of 2704	2732	i7.exe	34
PID 2732 wrote to memory of 2952	2732	i7.exe	37
PID 2732 wrote to memory of 2952	2732	i7.exe	37
PID 2732 wrote to memory of 2952	2732	i7.exe	37
PID 2732 wrote to memory of 2952	2732	i7.exe	37
PID 2732 wrote to memory of 2060	2732	i7.exe	39
PID 2732 wrote to memory of 2060	2732	i7.exe	39
PID 2732 wrote to memory of 2060	2732	i7.exe	39
PID 2732 wrote to memory of 2060	2732	i7.exe	39
PID 2952 wrote to memory of 2096	2952	cmd.exe	40
PID 2952 wrote to memory of 2096	2952	cmd.exe	40
PID 2952 wrote to memory of 2096	2952	cmd.exe	40
PID 2952 wrote to memory of 2096	2952	cmd.exe	40
PID 2732 wrote to memory of 2416	2732	i7.exe	42
PID 2732 wrote to memory of 2416	2732	i7.exe	42
PID 2732 wrote to memory of 2416	2732	i7.exe	42
PID 2732 wrote to memory of 2416	2732	i7.exe	42
PID 2732 wrote to memory of 1620	2732	i7.exe	43
PID 2732 wrote to memory of 1620	2732	i7.exe	43
PID 2732 wrote to memory of 1620	2732	i7.exe	43
PID 2732 wrote to memory of 1620	2732	i7.exe	43
PID 2732 wrote to memory of 2796	2732	i7.exe	46
PID 2732 wrote to memory of 2796	2732	i7.exe	46
PID 2732 wrote to memory of 2796	2732	i7.exe	46
PID 2732 wrote to memory of 2796	2732	i7.exe	46
PID 2732 wrote to memory of 1660	2732	i7.exe	49
PID 2732 wrote to memory of 1660	2732	i7.exe	49
PID 2732 wrote to memory of 1660	2732	i7.exe	49
PID 2732 wrote to memory of 1660	2732	i7.exe	49
PID 1660 wrote to memory of 860	1660	cmd.exe	51
PID 1660 wrote to memory of 860	1660	cmd.exe	51
PID 1660 wrote to memory of 860	1660	cmd.exe	51
PID 1660 wrote to memory of 860	1660	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\i7.exe
"C:\Users\Admin\AppData\Local\Temp\i7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess Users\Admin\AppData\Local\Temp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess powershell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\win.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\shutdown.exe
    SHUTDOWN -r -f -t 60
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess Users\Admin\AppData\Local\Temp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess powershell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\win.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\shutdown.exe
    SHUTDOWN -r -f -t 60
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TSQ0V1LH7CXEH5LC712D.temp

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2739fc095466626d4d8ee64715db8a8f

SHA1
3e787f1e38fc3e37e5bd4a81d1223e7463078695

SHA256
65bcc07bd9468050b449092d9f6cf3b58085444b8686feab58d27f5fb32e9b70

SHA512
468d03541a226d353ff6442b3b91205f9ea86d128b5fe17f2688edf803a586b782b09620c99ae43564f4d2c95b4451adc39ea09115df9aadc037922e5dd98c87

Download Submit
C:\Users\win.bat

Filesize
22B

MD5
3e8bb8d3131766d2bcd4725fa77bc813

SHA1
d3490f7ebf044f2bab2b3af64f1ade2321da62a1

SHA256
9f5948c641dc7c1475cf674b46bf3457709001bb92963477e3643c62557a9d7a

SHA512
ff3373cd9d882581528fe817460e4a34a3fa1b2916900f06df0f47ef6972dcdd1c50c78aad08e8b9d17d37d8e0df3fddba268f88369f770365784dd395ebd293

Download Submit
C:\Users\win.bat

Filesize
22B

MD5
3e8bb8d3131766d2bcd4725fa77bc813

SHA1
d3490f7ebf044f2bab2b3af64f1ade2321da62a1

SHA256
9f5948c641dc7c1475cf674b46bf3457709001bb92963477e3643c62557a9d7a

SHA512
ff3373cd9d882581528fe817460e4a34a3fa1b2916900f06df0f47ef6972dcdd1c50c78aad08e8b9d17d37d8e0df3fddba268f88369f770365784dd395ebd293

Download Submit
memory/1620-68-0x0000000072810000-0x0000000072DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-65-0x0000000072810000-0x0000000072DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-64-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2060-63-0x0000000072810000-0x0000000072DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-69-0x0000000072810000-0x0000000072DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-67-0x0000000072810000-0x0000000072DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-29-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-36-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-20-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-25-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/2604-24-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2604-37-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-31-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2604-28-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-19-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-35-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-32-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2676-21-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-33-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2676-26-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-23-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2704-34-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-30-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2704-27-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-22-0x0000000072DC0000-0x000000007336B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-48-0x0000000000C70000-0x000000000171B000-memory.dmp

Filesize
10.7MB

Download
memory/2732-0-0x0000000000C70000-0x000000000171B000-memory.dmp

Filesize
10.7MB

Download
memory/2732-1-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2732-73-0x0000000000C70000-0x000000000171B000-memory.dmp

Filesize
10.7MB

Download
memory/2796-66-0x0000000072810000-0x0000000072DBB000-memory.dmp

Filesize
5.7MB

Download