539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81

General

Target

539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
Size

660KB
MD5

76a62fbc17b736c0f770a8ec34b4a754
SHA1

c2b53a1b1976b0a12b0c616f3aab0823bf8e388d
SHA256

539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81
SHA512

0aeac0b07f9c23414655e201853e92c4fea05d1648024a9d11913888e09856159236925fb9e4ff3e087eb7eea8fe36331b5afbeed4d6cfbcab6aa48a5d2e7b5e
SSDEEP

12288:fH2iNlw0L3qngkrrlL6zoSsrdlzlBnnb1wLHGkELE1Q9RuKH86G1h2MX:v1XugkHljBnBBnnRwLHGdFRuKH8P1h2c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2392 schtasks.exe

pid	process
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exepowershell.exepowershell.exe

pid	process
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
2540	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe

C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
"C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kFYtLn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kFYtLn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5245.tmp"
2⤵
- Creates scheduled task(s)
PID:2392

C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
"C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
2⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
"C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
2⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
"C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
2⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
"C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
2⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
"C:\Users\Admin\AppData\Local\Temp\539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe"
2⤵
PID:2456

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5245.tmp
Filesize
1KB

MD5
f5f1ee4323119419d0eb13f23276b387

SHA1
6f63b421693c6089879ba3666098992d7886a295

SHA256
8fa961bc67f7325d79cf82f50021d409a55031f903c852ff5026d445f01c0780

SHA512
422e3125b71e2a1e35d1fc998f99c9a363688819efcaef1e35e377e652e89b47406f17d0c025d4e835cdde4ce526715f0bcf30b36b8514499ae3dbc43e4d7b2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6e32f76016f77295fc7b9ef45b81daf5

SHA1
79944e09607853307db8e3c5c5a2ea4ee030fb88

SHA256
d7d1f812e6730609559880d529cd717f319ed34eaea89b46210537ff22d7508b

SHA512
07f2cde52f2a78a5e47aafc3c5dbc82effbc9aa8b1212cf9d5aa39ed61bcb20be25d5aebdfc898546ddb42ef426031e1bc3b7a95fd516d108238a53fcdefcf4d

Download Submit
memory/1968-19-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-1-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-2-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/1968-3-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1968-4-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1968-5-0x0000000005230000-0x00000000052B4000-memory.dmp

Filesize
528KB

Download
memory/1968-0-0x0000000000190000-0x000000000023A000-memory.dmp

Filesize
680KB

Download
memory/2540-21-0x0000000001D90000-0x0000000001DD0000-memory.dmp

Filesize
256KB

Download
memory/2540-20-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-23-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-28-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-22-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2592-18-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-26-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2592-25-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2592-24-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-27-0x000000006F4D0000-0x000000006FA7B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1968 wrote to memory of 2592	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2592	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2592	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2592	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2540	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2540	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2540	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2540	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	powershell.exe
PID 1968 wrote to memory of 2392	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	schtasks.exe
PID 1968 wrote to memory of 2392	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	schtasks.exe
PID 1968 wrote to memory of 2392	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	schtasks.exe
PID 1968 wrote to memory of 2392	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	schtasks.exe
PID 1968 wrote to memory of 2604	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2604	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2604	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2604	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2440	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2440	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2440	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2440	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2396	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2396	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2396	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2396	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2428	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2428	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2428	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2428	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2456	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2456	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2456	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe
PID 1968 wrote to memory of 2456	1968	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe	539bd7b1e407a485f3fc31b27d1adfd0c1594d15f773c14119255e995fd82f81.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads