Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14-02-2024 04:39
Static task
static1
Behavioral task
behavioral1
Sample
9ac604ab0f70a0d75f107b8f52d97000.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9ac604ab0f70a0d75f107b8f52d97000.exe
Resource
win10v2004-20231215-en
General
-
Target
9ac604ab0f70a0d75f107b8f52d97000.exe
-
Size
1.4MB
-
MD5
9ac604ab0f70a0d75f107b8f52d97000
-
SHA1
48bfbec3b38f5070419e63efce548e7a234a3f0c
-
SHA256
46dff1fda981f377a8ae116f14a7a4352e373787186606d2c5a91ae0c6c25609
-
SHA512
5abea1a5274fd72fc64a44f3aea3545e4b5ab3e2d261c399ff40495f42fc59089756f832f1f0fa408e8714f76a710d2d616017193b53ba074172498e722bcd73
-
SSDEEP
24576:V/CqsL1yQdGc9O42AT2fXB52MMMMMMMMMMMuMMMMMMMMMMMMMMMMMMMMMMMMMMMX:icAGc9O42AT2/KMMMMMMMMMMMuMMMMML
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 1672 9ac604ab0f70a0d75f107b8f52d97000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1672 9ac604ab0f70a0d75f107b8f52d97000.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2216 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 30 PID 1672 wrote to memory of 2216 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 30 PID 1672 wrote to memory of 2216 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 30 PID 1672 wrote to memory of 2216 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 30 PID 1672 wrote to memory of 2300 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 32 PID 1672 wrote to memory of 2300 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 32 PID 1672 wrote to memory of 2300 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 32 PID 1672 wrote to memory of 2300 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 32 PID 1672 wrote to memory of 2400 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 33 PID 1672 wrote to memory of 2400 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 33 PID 1672 wrote to memory of 2400 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 33 PID 1672 wrote to memory of 2400 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 33 PID 1672 wrote to memory of 2564 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 34 PID 1672 wrote to memory of 2564 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 34 PID 1672 wrote to memory of 2564 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 34 PID 1672 wrote to memory of 2564 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 34 PID 1672 wrote to memory of 320 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 35 PID 1672 wrote to memory of 320 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 35 PID 1672 wrote to memory of 320 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 35 PID 1672 wrote to memory of 320 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 35 PID 1672 wrote to memory of 1084 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 36 PID 1672 wrote to memory of 1084 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 36 PID 1672 wrote to memory of 1084 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 36 PID 1672 wrote to memory of 1084 1672 9ac604ab0f70a0d75f107b8f52d97000.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oUZjHsjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp"2⤵
- Creates scheduled task(s)
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"2⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"2⤵PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"2⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"2⤵PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"2⤵PID:1084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e55f0acf3e0be1f1a0806b9418e08ec3
SHA17899eb54b9123a75d1801b5a5a9554aa45e7e471
SHA256fca50829734289b08b83cdaa4d41c211b14bbc4f35eb41e99289fec166c9f720
SHA512011ab686a12022050f659ae9fd34af231471878a4bc30ab0428d8255b8c2cd810fa7da7aa032b92a771fdbf2dfbd5ef1a50dfd1fce770c1c6392a00360c550c8