Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
Resource
win7-20231215-en
General
-
Target
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
-
Size
986KB
-
MD5
cdcfa8aab8a4766ddb88df4635104d83
-
SHA1
7ad43cc7224f694995e53325a581e659eabe2e16
-
SHA256
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
-
SHA512
9948e0571bfd8a167ad456a7aa4380b7f73f0bc77475b827bb20303a5fe1bce03670900e275cec573c88df51cd42a2060012bba623c7358640af8e1209210acb
-
SSDEEP
24576:FJRsQJVHvu3/mAUf45P3z55KTBmfswlibk:bWgHv0wq50TAfpEk
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exedescription pid process target process PID 836 set thread context of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exepowershell.exepowershell.exepid process 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 2700 powershell.exe 2872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exedescription pid process target process PID 836 wrote to memory of 2872 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2872 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2872 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2872 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2700 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2700 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2700 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2700 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe powershell.exe PID 836 wrote to memory of 2620 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 836 wrote to memory of 2620 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 836 wrote to memory of 2620 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 836 wrote to memory of 2620 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe schtasks.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe PID 836 wrote to memory of 1696 836 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp"2⤵
- Creates scheduled task(s)
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"2⤵PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5463cd327d3e513344550f47f1a84e4b0
SHA1cab2121180c408fe2b13e0763f6eafad10fb8a4a
SHA256985f73850f31683037816aa9b2bada09230a3231f1a427ccd695b02ab270dcdf
SHA512cb6cdbd06cb8a204be1bc7835aa8b0d9aeca6697c349b4a30ed7978576a57813bd4ac7942fda873f5bde7c5772419a206833a5688cf89c41f9058d1ce847b707
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZUOG1V122SN6TSOV4LT.temp
Filesize7KB
MD5841c0b3daee71608da23fc8fe88267a0
SHA1ea97983481b974d9f6b70f2349371d45fd4ac398
SHA2567df348e2d08d8a1765a11715f993e6f0ff0b1d95dc096f89abe1c117febeebe4
SHA512b28889bd979f36b54276f17774ce519145b5931dd9865c042e2cdc6848ac739b93e85128bceb4c9218868fbf39d05788749f286d17e2d1e579fe1d95e131d85a