e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
Size

1.6MB
MD5

034bfaec248c788bac7ac64c3ff8b7f2
SHA1

cfb0d32b4df8c1426e4efc11b797df2dd55730bb
SHA256

e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43
SHA512

6f1b40d32253cb6b28706b8aab414bddd75a56b37aef058d6e0d334dfed358478e16668359b493a425919c6ada3d4f1f4929e3775c636453d6483c529221d159
SSDEEP

24576:ZrVGNek6mpi8UljolHKOpIR+s6yR1nLX49b2yKCB3JurSnhG9h8K:DiiPMqOIR/rRX49S65pG31

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
2580	powershell.exe
2956	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2908	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2580	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	33
PID 2856 wrote to memory of 2580	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	33
PID 2856 wrote to memory of 2580	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	33
PID 2856 wrote to memory of 2956	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	29
PID 2856 wrote to memory of 2956	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	29
PID 2856 wrote to memory of 2956	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	29
PID 2856 wrote to memory of 1892	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	31
PID 2856 wrote to memory of 1892	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	31
PID 2856 wrote to memory of 1892	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	31
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34
PID 2856 wrote to memory of 2908	2856	e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe
"C:\Users\Admin\AppData\Local\Temp\e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jjbGqIOxgszK.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jjbGqIOxgszK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1FA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e7028a95959950b5f09747f15bdb33e1776015e9e583cea818aaccfdb27baa43.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA1FA.tmp

Filesize
1KB

MD5
2e1deb0f8e103ee9d31c888ba7339785

SHA1
e09a8d1b2eb5430fe3c745c25630add3de6865b1

SHA256
ffaec2cec80ee45f43718f8224c50a6bf9a867b318d073aae04dafb18984352a

SHA512
24b0b548d6d6f68695350e35207476f3c7fea5156b3a3dc621a9a6cb6d769884a6b565dba7f9051e759dd1f18736666d27d21467a25e7b051d61965f5f3a81a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e171d4eac1c07df6092977d1e89c67a2

SHA1
79cc41d3323e17b942de6ef2e0dfb685760f1f24

SHA256
d8ec95fcf64ca109c2bb62e734869003793f83569752c3059d37284fcfca705f

SHA512
9af0cc3c9fa04c7cc7b4035f0ee8c024cbc07833dad3d246c5ee8450a1741f0763847675a4f25dae84502449d090553516a46e62466a73c1d683d185d162de00

Download Submit
memory/2580-29-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2580-25-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-36-0x00000000029FB000-0x0000000002A62000-memory.dmp

Filesize
412KB

Download
memory/2580-33-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2580-30-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-26-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2856-0-0x000000013F1C0000-0x000000013F35C000-memory.dmp

Filesize
1.6MB

Download
memory/2856-3-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/2856-1-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-21-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-43-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-2-0x000000001BDF0000-0x000000001BE70000-memory.dmp

Filesize
512KB

Download
memory/2856-6-0x000000001D3E0000-0x000000001D4FA000-memory.dmp

Filesize
1.1MB

Download
memory/2856-4-0x0000000002110000-0x0000000002122000-memory.dmp

Filesize
72KB

Download
memory/2856-5-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2856-37-0x000000001BDF0000-0x000000001BE70000-memory.dmp

Filesize
512KB

Download
memory/2908-47-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-70-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-38-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2908-2290-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/2908-34-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/2908-31-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/2908-2289-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-2287-0x00000000023B0000-0x000000000244E000-memory.dmp

Filesize
632KB

Download
memory/2908-44-0x000000001B4F0000-0x000000001B602000-memory.dmp

Filesize
1.1MB

Download
memory/2908-46-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/2908-45-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-2288-0x00000000021B0000-0x00000000021FC000-memory.dmp

Filesize
304KB

Download
memory/2908-27-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/2908-98-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-100-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-50-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-48-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-52-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-54-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-58-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-56-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-60-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-64-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-40-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/2908-72-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-78-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-80-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-86-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-92-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-90-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-88-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-84-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-82-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-76-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-74-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-68-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-94-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-66-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-96-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-62-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2908-102-0x000000001B4F0000-0x000000001B5FF000-memory.dmp

Filesize
1.1MB

Download
memory/2956-22-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2956-23-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2956-28-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

Filesize
9.6MB

Download
memory/2956-24-0x0000000002A1B000-0x0000000002A82000-memory.dmp

Filesize
412KB

Download
memory/2956-32-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2956-35-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download