bf97d8ee1b61a6699e0a1ff3cda31252cfbd154804673d83dd68b1fee155f953

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INOVICE NO CY-W-24-17-26.exe
Size

714KB
MD5

d57f61c8ca3a73cad73f5cb160d2e1a8
SHA1

62a5c18d4194f1f4bef658fd24cb68a3067537a3
SHA256

bf97d8ee1b61a6699e0a1ff3cda31252cfbd154804673d83dd68b1fee155f953
SHA512

bcb796de15d4519b4d2c6a701bcb1b83bb5fd09d9a04ac31c66a82326d4ecba30bc8bde0dff5a4008b120d3d0642820e60d34264c2cb253ba04e7deb0323d430
SSDEEP

12288:gFoO3mYoQxv9wQNWk9eGwk5Lq8RVDrlYGI/d8FR2ij6QnLkB:ghbhxv9wQNV5e8fGOwQnAB

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2656 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2964 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2964 powershell.exe

pid	process
2656	schtasks.exe

pid	process
2964	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2964	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INOVICE NO CY-W-24-17-26.exe

description	pid	process	target process
PID 856 wrote to memory of 2964	856	INOVICE NO CY-W-24-17-26.exe	powershell.exe
PID 856 wrote to memory of 2964	856	INOVICE NO CY-W-24-17-26.exe	powershell.exe
PID 856 wrote to memory of 2964	856	INOVICE NO CY-W-24-17-26.exe	powershell.exe
PID 856 wrote to memory of 2964	856	INOVICE NO CY-W-24-17-26.exe	powershell.exe
PID 856 wrote to memory of 2656	856	INOVICE NO CY-W-24-17-26.exe	schtasks.exe
PID 856 wrote to memory of 2656	856	INOVICE NO CY-W-24-17-26.exe	schtasks.exe
PID 856 wrote to memory of 2656	856	INOVICE NO CY-W-24-17-26.exe	schtasks.exe
PID 856 wrote to memory of 2656	856	INOVICE NO CY-W-24-17-26.exe	schtasks.exe
PID 856 wrote to memory of 2716	856	INOVICE NO CY-W-24-17-26.exe	MSBuild.exe
PID 856 wrote to memory of 2716	856	INOVICE NO CY-W-24-17-26.exe	MSBuild.exe
PID 856 wrote to memory of 2716	856	INOVICE NO CY-W-24-17-26.exe	MSBuild.exe
PID 856 wrote to memory of 2716	856	INOVICE NO CY-W-24-17-26.exe	MSBuild.exe
PID 856 wrote to memory of 2716	856	INOVICE NO CY-W-24-17-26.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\INOVICE NO CY-W-24-17-26.exe
"C:\Users\Admin\AppData\Local\Temp\INOVICE NO CY-W-24-17-26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hBdXlArIL.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hBdXlArIL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FAF.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3FAF.tmp

Filesize
1KB

MD5
de6c411cfcbcfb521a2e10f16c7b7947

SHA1
0c8f9c8ab43d5117d4db2072e4b11d90c4e3e3ef

SHA256
10c5da628aed4145510ad75978a0ee5b14e8d92f368f98f1274dee0b95aca8a1

SHA512
ae845a9b6420c90c397957eb300ed3644a94c1a206bb1b9291cb2368806406513eceda39a589798c6491c653a0f37f1937d2b2a4ba7663bd5b91604bf32a10eb

Download Submit
memory/856-3-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/856-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/856-0-0x0000000000D20000-0x0000000000DD8000-memory.dmp

Filesize
736KB

Download
memory/856-4-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/856-5-0x0000000004B60000-0x0000000004BE2000-memory.dmp

Filesize
520KB

Download
memory/856-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/856-20-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/856-21-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2716-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-13-0x000000006E090000-0x000000006E63B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-14-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2964-15-0x000000006E090000-0x000000006E63B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-19-0x000000006E090000-0x000000006E63B000-memory.dmp

Filesize
5.7MB

Download