Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
Resource
win10v2004-20240226-en
General
-
Target
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe
-
Size
708KB
-
MD5
42424af49b06793b3ff6b9fb1c76b1cc
-
SHA1
ae74152bb94f369271a19173131273d49989c289
-
SHA256
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8
-
SHA512
5151d7c611615f0f40824ba9e84b7778f8eeb788781be30a493ac5e7a0cfdd392b7cb8629b7e27e74041eada71af4099dcfe250c8186d083b2f63eff4dea20bb
-
SSDEEP
12288:iHwg8qJCKCjqHL/EOfA2+xYEuWH5vTuxCmBAklXoQfZp6SXrZfpfkesqSv:KDI2Tf1bEDZv/oXoQhp6sn
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exepowershell.exepowershell.exepid Process 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 3016 powershell.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exedescription pid Process procid_target PID 1776 wrote to memory of 3016 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 28 PID 1776 wrote to memory of 3016 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 28 PID 1776 wrote to memory of 3016 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 28 PID 1776 wrote to memory of 3016 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 28 PID 1776 wrote to memory of 2596 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 30 PID 1776 wrote to memory of 2596 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 30 PID 1776 wrote to memory of 2596 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 30 PID 1776 wrote to memory of 2596 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 30 PID 1776 wrote to memory of 2584 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 32 PID 1776 wrote to memory of 2584 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 32 PID 1776 wrote to memory of 2584 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 32 PID 1776 wrote to memory of 2584 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 32 PID 1776 wrote to memory of 1712 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 34 PID 1776 wrote to memory of 1712 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 34 PID 1776 wrote to memory of 1712 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 34 PID 1776 wrote to memory of 1712 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 34 PID 1776 wrote to memory of 2696 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 35 PID 1776 wrote to memory of 2696 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 35 PID 1776 wrote to memory of 2696 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 35 PID 1776 wrote to memory of 2696 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 35 PID 1776 wrote to memory of 2568 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 36 PID 1776 wrote to memory of 2568 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 36 PID 1776 wrote to memory of 2568 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 36 PID 1776 wrote to memory of 2568 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 36 PID 1776 wrote to memory of 2440 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 37 PID 1776 wrote to memory of 2440 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 37 PID 1776 wrote to memory of 2440 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 37 PID 1776 wrote to memory of 2440 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 37 PID 1776 wrote to memory of 2508 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 38 PID 1776 wrote to memory of 2508 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 38 PID 1776 wrote to memory of 2508 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 38 PID 1776 wrote to memory of 2508 1776 2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\icgpIWuiOAFTwp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\icgpIWuiOAFTwp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EB5.tmp"2⤵
- Creates scheduled task(s)
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"2⤵PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"2⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"2⤵PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"2⤵PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"C:\Users\Admin\AppData\Local\Temp\2d12b219413e2afcffdaf0c87b24a862f3895f1df8e4a1501a6c1ca1891ee8b8.exe"2⤵PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3c28d67c1ba6fc16cf3dcfa0118bcb5
SHA1e6e08f2e97d5b9c3d663012e6deb3106facd2f78
SHA256edbc116f70c3e64de2be5fcde7693cd92d2ffbcd1a16749bba5052ca595b12d0
SHA512f9ee56f5bd3f67631c39c0db53326e05ba85b52dba4eeb47ea7f682cfd1cf8a955b4b36395f2c424495c0b3b92d1a519c6e33d7a165973fd2ef00c888c2b2833
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5200755b4ae1b3ebe2d973082440c619b
SHA154e85ab2e546ebfd797fc94aecc6bb46d7cb5380
SHA2566c3693f6a525e5216e9e4a301fef8128843ed034c2e4e563620896293a9c0219
SHA5127e2d28a98df85ff79d0040fa03ae9f1b3f38e21a75416a87d0cf4fad426370b5f8fed1a2cd2d3a8e08fc13d1d7efd8587f393dad5207906504ad8dc09f972a87