74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf

General

Target

74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
Size

961KB
MD5

73d358a6b2ad4ced8a885895e0c12dba
SHA1

5dfb45244f148645ac66417bddc76cd4bb441e89
SHA256

74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf
SHA512

e59e9b877001c22a3fe0990b8b3a9daba8567d4db456f56e00d8bb170dddd1462d29c839832825ddbef5edcbf082a9fe04b060c7a55b8930b5f9b9689fb5e7a6
SSDEEP

24576:24FOzdtX2DtZzBRPOoY34+t5EEtG6XuRvyMnllW:Ted2DtZlRmoe4seEtBXuRvyU

Score

9^/10

Malware Config

Signatures

Detects executables packed with SmartAssembly 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-3-0x00000000002C0000-0x00000000002D0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2204-4-0x00000000003E0000-0x00000000003EC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2680 schtasks.exe

pid	process
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exepowershell.exepowershell.exe

pid	process
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
2684	powershell.exe
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe

description	pid	process	target process
PID 2204 wrote to memory of 2684	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2684	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2684	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2684	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2532	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2532	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2532	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2532	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	powershell.exe
PID 2204 wrote to memory of 2680	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	schtasks.exe
PID 2204 wrote to memory of 2680	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	schtasks.exe
PID 2204 wrote to memory of 2680	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	schtasks.exe
PID 2204 wrote to memory of 2680	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	schtasks.exe
PID 2204 wrote to memory of 2716	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2716	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2716	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2716	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 3024	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 3024	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 3024	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 3024	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2868	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2868	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2868	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2868	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2872	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2872	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2872	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2872	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2152	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2152	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2152	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe
PID 2204 wrote to memory of 2152	2204	74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe
"C:\Users\Admin\AppData\Local\Temp\74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\74a07ee3f0060987ebcb09e588ac1299a9d2a19e2f4139385f7880c229e2c8cf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GzaqkFxrVt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzaqkFxrVt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp"
2⤵
- Creates scheduled task(s)
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2152

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp
Filesize
1KB

MD5
eea049775967400385c3455c41e1af05

SHA1
ae66e3ea85053c3e0d7b69acf5301a37a82bfc92

SHA256
6daf82c7a664733241a53448afcd0389e3960aa7da27d3b5a8cbce3336560f38

SHA512
3146c91897bb6364120edd197fccb72e4e2e4ee2884684fcf172e6976164f9c09649587b5d53015a4329db4467cd7f5c8b726b81558f2663f2134e4e60a366f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EOUEL2QVXYM59LFJ4OC6.temp
Filesize
7KB

MD5
b78a72d6a64ec29a47daf7036df3961e

SHA1
a304ffb792ef96bd24745ce69ed988973408793c

SHA256
d07f827b04791ef39219c830d315df5f96e25df86c69ce68fcf6d84a84476437

SHA512
78cb6d77619c90866a2708496f45c4b51be93b6039e19cdec73553bde37c2dfc204e1ae518e2b37e8f81979fe65be8ad836afb443cb5da49c9e0418bfc24a03c

Download Submit
memory/2204-22-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-3-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2204-4-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2204-5-0x0000000005380000-0x0000000005440000-memory.dmp

Filesize
768KB

Download
memory/2204-2-0x0000000005080000-0x00000000050C0000-memory.dmp

Filesize
256KB

Download
memory/2204-1-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-0-0x0000000000FA0000-0x0000000001094000-memory.dmp

Filesize
976KB

Download
memory/2532-21-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-20-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2532-18-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-24-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2532-25-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2532-27-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-19-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-23-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2684-26-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2684-28-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads