f369ce1d0bba437138d8527f9b9d460f2bf94a0da49f8a801d3839819f7f4f8c

General

Target

Product_Specification_Dec052023.exe
Size

828KB
MD5

72c79ce71ca4d2529fb05f1e37341a69
SHA1

aaa4e64071d39f2590d1bcb3b758c51d320ece31
SHA256

a4d1c2193d3db847e5c7132074a16826beff3d069e1ba83633b8ac7bc5c88f5e
SHA512

0e1f9eb942b5409bee74c4aaa3d249a87a88dc72d4aeda2cbe39cde7f428ef07b21e17c9467413826f4b599db744064acec96061dd8c5c3f1ea61f3f98618969
SSDEEP

12288:anfKE6jD/62iNG5nF8+pQWMHKMuGxZcx0dZRyKuhqCqPiGIqkHmI:afKtD/61I4HKMuOcexylhqCq5IJHmI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2532 schtasks.exe

pid	process
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Product_Specification_Dec052023.exepowershell.exepowershell.exe

pid	process
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2876	Product_Specification_Dec052023.exe
2680	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Product_Specification_Dec052023.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2876	Product_Specification_Dec052023.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Product_Specification_Dec052023.exe

C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tNgQrHLDn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tNgQrHLDn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp"
2⤵
- Creates scheduled task(s)
PID:2532

C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
2⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
2⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
2⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
2⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Specification_Dec052023.exe"
2⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp

Filesize
1KB

MD5
2467f3fe1f092c9156a9c4324f4ffdac

SHA1
005f25deb70cb9bfd64197176ae29e1a787d3a44

SHA256
7728ca09681eb316b74826c8bae34d77fa2ed49ed73a3c2ff7f986b953d602b7

SHA512
e88d11ff6f4d32e82940b15c88ed1740c50d158e631849b854d2c5eb8c3ea6679e10a3dd62ddeb32c4fbc3699f8f3a2c6533b3fcdf46a15fb313e21e178aeff5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TOAYN76EK82JWYNUX83O.temp

Filesize
7KB

MD5
7615f0c42a74df9f24631947f7c2695b

SHA1
0d881103763c7490ffd6de2476becae38b55591a

SHA256
04a76b30b52691841dab1daa878daf779a45ab4389b0bbc01f3b330347c06222

SHA512
6cd1d0c4963c821c9392ad57109c8cef053d60a8d65f79f84c435c26554a45cb695f0c1a2ccea799f7c23957399b761d7ec5b79da6f5afa5e39edc10cea9bdf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7615f0c42a74df9f24631947f7c2695b

SHA1
0d881103763c7490ffd6de2476becae38b55591a

SHA256
04a76b30b52691841dab1daa878daf779a45ab4389b0bbc01f3b330347c06222

SHA512
6cd1d0c4963c821c9392ad57109c8cef053d60a8d65f79f84c435c26554a45cb695f0c1a2ccea799f7c23957399b761d7ec5b79da6f5afa5e39edc10cea9bdf8

Download Submit
memory/2680-30-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-29-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/2680-28-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/2680-26-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/2680-23-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-24-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-22-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-31-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-27-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2704-25-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2876-21-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-5-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2876-0-0x0000000000390000-0x0000000000464000-memory.dmp

Filesize
848KB

Download
memory/2876-8-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/2876-4-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2876-6-0x0000000005370000-0x00000000053EC000-memory.dmp

Filesize
496KB

Download
memory/2876-3-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/2876-2-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/2876-1-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-7-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2876 wrote to memory of 2704	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2704	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2704	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2704	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2680	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2680	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2680	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2680	2876	Product_Specification_Dec052023.exe	powershell.exe
PID 2876 wrote to memory of 2532	2876	Product_Specification_Dec052023.exe	schtasks.exe
PID 2876 wrote to memory of 2532	2876	Product_Specification_Dec052023.exe	schtasks.exe
PID 2876 wrote to memory of 2532	2876	Product_Specification_Dec052023.exe	schtasks.exe
PID 2876 wrote to memory of 2532	2876	Product_Specification_Dec052023.exe	schtasks.exe
PID 2876 wrote to memory of 2772	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2772	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2772	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2772	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 3048	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 3048	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 3048	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 3048	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2892	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2892	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2892	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 2892	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 1652	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 1652	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 1652	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 1652	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 740	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 740	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 740	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe
PID 2876 wrote to memory of 740	2876	Product_Specification_Dec052023.exe	Product_Specification_Dec052023.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads