Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
Resource
win7-20231129-en
General
-
Target
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
-
Size
670KB
-
MD5
11b19b59f657910f0af49721a77bc2dd
-
SHA1
3078779d892bd96e5dfddb76d491f52eefd39a2d
-
SHA256
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
-
SHA512
de92458acc1341bd5db1ca3f5542339c5e06dac938903efc9c9eeca234058a92fb1e99bdb94c547a7126dfe033c300beb5a8ef3ca63dcb61bb6dbd397b7602e2
-
SSDEEP
12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exepowershell.exepowershell.exepid process 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe 2600 powershell.exe 1468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1468 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exedescription pid process target process PID 836 wrote to memory of 1468 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 1468 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 1468 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 1468 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 2600 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 2600 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 2600 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 2600 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe powershell.exe PID 836 wrote to memory of 2608 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe schtasks.exe PID 836 wrote to memory of 2608 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe schtasks.exe PID 836 wrote to memory of 2608 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe schtasks.exe PID 836 wrote to memory of 2608 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe schtasks.exe PID 836 wrote to memory of 2756 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2756 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2756 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2756 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2712 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2712 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2712 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2712 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2768 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2768 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2768 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2768 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 940 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 940 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 940 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 940 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2704 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2704 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2704 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe PID 836 wrote to memory of 2704 836 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4569.tmp"2⤵
- Creates scheduled task(s)
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"2⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"2⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"2⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"2⤵PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD599ee79ef1ec914dcdbf76c7b64dd1ba6
SHA1c0c68a6030256df83f1e943336e63f5c832ec264
SHA256c8fa8b7f11520d0e79a57f657863ea8ba6b23ec6249451c27a3513767663b8cd
SHA512e9df4a99f08191d6eb55f71b4626e3e8d6b7833d01b9247cb13b693157934731034b03de555257952ae4595ecc8007cc095b433ef72ff5db144607cb5e81b008
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2OSMZA05435Z85187S9K.temp
Filesize7KB
MD5a52659ae706be263ea6cd69e1fe8a4b5
SHA19767469ab470ae99c8501b9ca858b1e56198a7b2
SHA25693fa93359a7f6504a1d2c5c240c34a3fe340d8c0738da4678acea82bf51651ab
SHA512c91c9134ba261a534a4838400bcbc2f9de9abd464222becf8d0487ec885f3be454fbe8156df83dfa5cf571d3a3033a2c61958af57335cf7bd74332d7d70ec989