Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
kYyBuIFRcL6U7Fl.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
kYyBuIFRcL6U7Fl.exe
Resource
win10v2004-20231215-en
General
-
Target
kYyBuIFRcL6U7Fl.exe
-
Size
604KB
-
MD5
dc6c813e0b5c0adab63e8f6e47d3fb76
-
SHA1
c9979e87cf35d8563a16bf52ad762c04c89badc9
-
SHA256
3d6012eb13b5a891571ea2d7c7bf120b9c12d479e5cb2c6ffc7e515e14c46866
-
SHA512
c3e83b275c6aedbf56fe581b6e5f5b7f9ec33573c460eca63590a33326c08378dd7ea04b1d80807fdfc74738d432adb9b37892a0655aff8611d2e30f4d9f9ef3
-
SSDEEP
12288:z+E26ddIYd1x66+9GreDc4bRbOpPE6/5kqRQeB0QzauW2a5W:aOwO1mQreDc4lypPp+kQelzauWS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2764 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 kYyBuIFRcL6U7Fl.exe 2980 powershell.exe 2616 powershell.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe 2368 kYyBuIFRcL6U7Fl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2368 kYyBuIFRcL6U7Fl.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2980 2368 kYyBuIFRcL6U7Fl.exe 28 PID 2368 wrote to memory of 2980 2368 kYyBuIFRcL6U7Fl.exe 28 PID 2368 wrote to memory of 2980 2368 kYyBuIFRcL6U7Fl.exe 28 PID 2368 wrote to memory of 2980 2368 kYyBuIFRcL6U7Fl.exe 28 PID 2368 wrote to memory of 2616 2368 kYyBuIFRcL6U7Fl.exe 30 PID 2368 wrote to memory of 2616 2368 kYyBuIFRcL6U7Fl.exe 30 PID 2368 wrote to memory of 2616 2368 kYyBuIFRcL6U7Fl.exe 30 PID 2368 wrote to memory of 2616 2368 kYyBuIFRcL6U7Fl.exe 30 PID 2368 wrote to memory of 2764 2368 kYyBuIFRcL6U7Fl.exe 32 PID 2368 wrote to memory of 2764 2368 kYyBuIFRcL6U7Fl.exe 32 PID 2368 wrote to memory of 2764 2368 kYyBuIFRcL6U7Fl.exe 32 PID 2368 wrote to memory of 2764 2368 kYyBuIFRcL6U7Fl.exe 32 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34 PID 2368 wrote to memory of 2408 2368 kYyBuIFRcL6U7Fl.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UoqhCzdpcgs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UoqhCzdpcgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp"2⤵
- Creates scheduled task(s)
PID:2764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5635e5ec0a1742350a15b82ac5ff8b1d7
SHA169a9d1a99145e38aa2298c5a24d1cefd1b57a1a5
SHA256ad58f19ce256d91b97b0fd681a8c0db8bb1ae8386c6685a98d952abcfbc1e5e2
SHA51267b4571648e81b348bd60417acba4e790412bc1a3425c8a34e37821a6c2a140ef6e9e9aa2f1e3ab970c6a17177babc3dda7d562f7a8cab58b5103db341a21985
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZG0E59A9RMS5HDO2ZG6.temp
Filesize7KB
MD521f2d8b447a917dd9a61add5b8f7f5fc
SHA1932ac06e063e40318e7b801e141621b1108fe47a
SHA25646634759882b90861ef52025afa5a4c30ecba346a540fced504c17c390ce0ffc
SHA512cf4f6836959e16c254735ed3238f743dc38c934c9e615772e52d6181edb453be9d6a6b3e4945778a5ebbd0aa3fa9eb9b0e674cee890a3df688a15e0bd21ea335