Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 01:18

General

  • Target

    2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe

  • Size

    708KB

  • MD5

    42424af49b06793b3ff6b9fb1c76b1cc

  • SHA1

    ae74152bb94f369271a19173131273d49989c289

  • SHA256

    2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8

  • SHA512

    5151d7c611615f0f40824ba9e84b7778f8eeb788781be30a493ac5e7a0cfdd392b7cb8629b7e27e74041eada71af4099dcfe250c8186d083b2f63eff4dea20bb

  • SSDEEP

    12288:iHwg8qJCKCjqHL/EOfA2+xYEuWH5vTuxCmBAklXoQfZp6SXrZfpfkesqSv:KDI2Tf1bEDZv/oXoQhp6sn

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
    "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\icgpIWuiOAFTwp.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\icgpIWuiOAFTwp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EB5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2584
    • C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
      "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
      2⤵
        PID:1712
      • C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
        "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
        2⤵
          PID:2696
        • C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
          "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
          2⤵
            PID:2568
          • C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
            "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
            2⤵
              PID:2440
            • C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
              "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"
              2⤵
                PID:2508

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp3EB5.tmp

              Filesize

              1KB

              MD5

              c3c28d67c1ba6fc16cf3dcfa0118bcb5

              SHA1

              e6e08f2e97d5b9c3d663012e6deb3106facd2f78

              SHA256

              edbc116f70c3e64de2be5fcde7693cd92d2ffbcd1a16749bba5052ca595b12d0

              SHA512

              f9ee56f5bd3f67631c39c0db53326e05ba85b52dba4eeb47ea7f682cfd1cf8a955b4b36395f2c424495c0b3b92d1a519c6e33d7a165973fd2ef00c888c2b2833

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

              Filesize

              7KB

              MD5

              200755b4ae1b3ebe2d973082440c619b

              SHA1

              54e85ab2e546ebfd797fc94aecc6bb46d7cb5380

              SHA256

              6c3693f6a525e5216e9e4a301fef8128843ed034c2e4e563620896293a9c0219

              SHA512

              7e2d28a98df85ff79d0040fa03ae9f1b3f38e21a75416a87d0cf4fad426370b5f8fed1a2cd2d3a8e08fc13d1d7efd8587f393dad5207906504ad8dc09f972a87

            • memory/1776-19-0x00000000747B0000-0x0000000074E9E000-memory.dmp

              Filesize

              6.9MB

            • memory/1776-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

              Filesize

              6.9MB

            • memory/1776-2-0x0000000004E80000-0x0000000004EC0000-memory.dmp

              Filesize

              256KB

            • memory/1776-3-0x0000000000450000-0x0000000000462000-memory.dmp

              Filesize

              72KB

            • memory/1776-4-0x00000000007A0000-0x00000000007AE000-memory.dmp

              Filesize

              56KB

            • memory/1776-5-0x0000000005130000-0x00000000051CC000-memory.dmp

              Filesize

              624KB

            • memory/1776-0-0x0000000000390000-0x0000000000448000-memory.dmp

              Filesize

              736KB

            • memory/2596-18-0x000000006F300000-0x000000006F8AB000-memory.dmp

              Filesize

              5.7MB

            • memory/2596-22-0x0000000002740000-0x0000000002780000-memory.dmp

              Filesize

              256KB

            • memory/2596-24-0x000000006F300000-0x000000006F8AB000-memory.dmp

              Filesize

              5.7MB

            • memory/2596-26-0x0000000002740000-0x0000000002780000-memory.dmp

              Filesize

              256KB

            • memory/2596-28-0x000000006F300000-0x000000006F8AB000-memory.dmp

              Filesize

              5.7MB

            • memory/3016-20-0x000000006F300000-0x000000006F8AB000-memory.dmp

              Filesize

              5.7MB

            • memory/3016-21-0x0000000002940000-0x0000000002980000-memory.dmp

              Filesize

              256KB

            • memory/3016-23-0x000000006F300000-0x000000006F8AB000-memory.dmp

              Filesize

              5.7MB

            • memory/3016-25-0x0000000002940000-0x0000000002980000-memory.dmp

              Filesize

              256KB

            • memory/3016-27-0x000000006F300000-0x000000006F8AB000-memory.dmp

              Filesize

              5.7MB