e9764c7c423c909f1aa4a2ab41ac0c3fbe592a90a1cb1a98028a4fc0320af0b1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 05:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bff4de75e08d2e4d827853bb0f72af62.exe
Size

978KB
MD5

bff4de75e08d2e4d827853bb0f72af62
SHA1

44e7caebe4cee96fa8f9f754fdc756168a5871fa
SHA256

e9764c7c423c909f1aa4a2ab41ac0c3fbe592a90a1cb1a98028a4fc0320af0b1
SHA512

2819478d75d6635d46d30785f6828619b0da2ada65878a44084095010b7026480a80a72112927b8ae47b72445094bf8e693b0d50dd0b5238beeeff34004958a7
SSDEEP

24576:tr065nEVHc2YRQCWnwO5BqGff8NfMuYETj5mWGYlyy/2zw:trpnRwwAfwMG5mWGYlyM2

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\	bff4de75e08d2e4d827853bb0f72af62.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\test.txt	bff4de75e08d2e4d827853bb0f72af62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2484	bff4de75e08d2e4d827853bb0f72af62.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	bff4de75e08d2e4d827853bb0f72af62.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2512	2484	bff4de75e08d2e4d827853bb0f72af62.exe	28
PID 2484 wrote to memory of 2512	2484	bff4de75e08d2e4d827853bb0f72af62.exe	28
PID 2484 wrote to memory of 2512	2484	bff4de75e08d2e4d827853bb0f72af62.exe	28
PID 2484 wrote to memory of 2512	2484	bff4de75e08d2e4d827853bb0f72af62.exe	28
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30
PID 2484 wrote to memory of 2596	2484	bff4de75e08d2e4d827853bb0f72af62.exe	30

C:\Users\Admin\AppData\Local\Temp\bff4de75e08d2e4d827853bb0f72af62.exe
"C:\Users\Admin\AppData\Local\Temp\bff4de75e08d2e4d827853bb0f72af62.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\736800936.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\bff4de75e08d2e4d827853bb0f72af62.exe
  "C:\Users\Admin\AppData\Local\Temp\bff4de75e08d2e4d827853bb0f72af62.exe"
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\736800936.xml

Filesize
1KB

MD5
5bb56db5f0a142bebb0a0fe4ba1ddfbe

SHA1
0c7b1fec3988c20b4fc25170fd23f463e607835b

SHA256
eaf95a1c053b153465a1c4f70782216f244a3bccf90928ec490f445351615ede

SHA512
bd51fc7ed5cac07bdc53be0699bd8625e82459ff25bcf75962589f24573d5c7abd57af6bcda543af7f794daebb908f50a2d4c9075757a90b2565eb6421adcdc0

Download Submit
memory/2484-1-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-2-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2484-0-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-21-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-22-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2596-6-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2596-7-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2596-8-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2596-11-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2596-15-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2596-19-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download