b7f6e7cad50f57e9cf2aa8793284b2df8839226c5790555491d51a3fc27caa06

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revise copy.exe
Size

650KB
MD5

c64c2a89d124e9185d312b3f880b31d9
SHA1

cb98b08b3954f8c596762a9d571006bc077612e0
SHA256

8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
SHA512

92c0be639e432691a58c220e015987f77755703c4f936480befd3c035ff4386ad20734a936d21921c3fc5bfa3cc4e1be6288756fc24e10147305621d34bbb472
SSDEEP

12288:iq5nF8ME6jD/GYVZBzN0SeawOHlB+GrgetMtZeF3KKprWeb25LfYOghi:iqPtD/Gez03awaDrgeWtZeNr6eaLQOu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2764	Revise copy.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	Revise copy.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2684	2764	Revise copy.exe	28
PID 2764 wrote to memory of 2684	2764	Revise copy.exe	28
PID 2764 wrote to memory of 2684	2764	Revise copy.exe	28
PID 2764 wrote to memory of 2684	2764	Revise copy.exe	28
PID 2764 wrote to memory of 2676	2764	Revise copy.exe	30
PID 2764 wrote to memory of 2676	2764	Revise copy.exe	30
PID 2764 wrote to memory of 2676	2764	Revise copy.exe	30
PID 2764 wrote to memory of 2676	2764	Revise copy.exe	30
PID 2764 wrote to memory of 2712	2764	Revise copy.exe	32
PID 2764 wrote to memory of 2712	2764	Revise copy.exe	32
PID 2764 wrote to memory of 2712	2764	Revise copy.exe	32
PID 2764 wrote to memory of 2712	2764	Revise copy.exe	32
PID 2764 wrote to memory of 2788	2764	Revise copy.exe	36
PID 2764 wrote to memory of 2788	2764	Revise copy.exe	36
PID 2764 wrote to memory of 2788	2764	Revise copy.exe	36
PID 2764 wrote to memory of 2788	2764	Revise copy.exe	36
PID 2764 wrote to memory of 2652	2764	Revise copy.exe	34
PID 2764 wrote to memory of 2652	2764	Revise copy.exe	34
PID 2764 wrote to memory of 2652	2764	Revise copy.exe	34
PID 2764 wrote to memory of 2652	2764	Revise copy.exe	34
PID 2764 wrote to memory of 2620	2764	Revise copy.exe	33
PID 2764 wrote to memory of 2620	2764	Revise copy.exe	33
PID 2764 wrote to memory of 2620	2764	Revise copy.exe	33
PID 2764 wrote to memory of 2620	2764	Revise copy.exe	33
PID 2764 wrote to memory of 2208	2764	Revise copy.exe	35
PID 2764 wrote to memory of 2208	2764	Revise copy.exe	35
PID 2764 wrote to memory of 2208	2764	Revise copy.exe	35
PID 2764 wrote to memory of 2208	2764	Revise copy.exe	35

C:\Users\Admin\AppData\Local\Temp\Revise copy.exe
"C:\Users\Admin\AppData\Local\Temp\Revise copy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yvygyKkUYqKa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yvygyKkUYqKa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC6A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\Revise copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Revise copy.exe"
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Revise copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Revise copy.exe"
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\Revise copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Revise copy.exe"
  2⤵
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Revise copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Revise copy.exe"
  2⤵
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\Revise copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Revise copy.exe"
  2⤵
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDC6A.tmp

Filesize
1KB

MD5
642819e8a9b1241ed672b6828b01e0d6

SHA1
027b549f9088797a93be6a49f171609f9764b2f5

SHA256
90a74d84e80d27078056a2048569d318daac9562e9da852a7128bf42b652453b

SHA512
7fac5c80b4f14e26c2d9d5f14a2ad07468253b9fe923a4c1230c7de7c23a01303e02bfb8c4b9cb2a9f8b3dbe43fa944122b8105ad4f21c01699296d5c8c41087

Download Submit
memory/2684-20-0x000000006E900000-0x000000006EEAB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-17-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2684-18-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2684-19-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2684-16-0x000000006E900000-0x000000006EEAB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-15-0x000000006E900000-0x000000006EEAB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-6-0x0000000005BE0000-0x0000000005C4A000-memory.dmp

Filesize
424KB

Download
memory/2764-0-0x00000000003A0000-0x0000000000448000-memory.dmp

Filesize
672KB

Download
memory/2764-14-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-5-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/2764-4-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2764-3-0x0000000000630000-0x0000000000648000-memory.dmp

Filesize
96KB

Download
memory/2764-2-0x00000000047F0000-0x0000000004830000-memory.dmp

Filesize
256KB

Download
memory/2764-1-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download