Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 01:31

General

  • Target

    c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

  • Size

    670KB

  • MD5

    11b19b59f657910f0af49721a77bc2dd

  • SHA1

    3078779d892bd96e5dfddb76d491f52eefd39a2d

  • SHA256

    c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85

  • SHA512

    de92458acc1341bd5db1ca3f5542339c5e06dac938903efc9c9eeca234058a92fb1e99bdb94c547a7126dfe033c300beb5a8ef3ca63dcb61bb6dbd397b7602e2

  • SSDEEP

    12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
    "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4569.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2608
    • C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
      "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
      2⤵
        PID:2756
      • C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
        "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
        2⤵
          PID:2712
        • C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
          "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
          2⤵
            PID:2768
          • C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
            "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
            2⤵
              PID:940
            • C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
              "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"
              2⤵
                PID:2704

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp4569.tmp

              Filesize

              1KB

              MD5

              99ee79ef1ec914dcdbf76c7b64dd1ba6

              SHA1

              c0c68a6030256df83f1e943336e63f5c832ec264

              SHA256

              c8fa8b7f11520d0e79a57f657863ea8ba6b23ec6249451c27a3513767663b8cd

              SHA512

              e9df4a99f08191d6eb55f71b4626e3e8d6b7833d01b9247cb13b693157934731034b03de555257952ae4595ecc8007cc095b433ef72ff5db144607cb5e81b008

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2OSMZA05435Z85187S9K.temp

              Filesize

              7KB

              MD5

              a52659ae706be263ea6cd69e1fe8a4b5

              SHA1

              9767469ab470ae99c8501b9ca858b1e56198a7b2

              SHA256

              93fa93359a7f6504a1d2c5c240c34a3fe340d8c0738da4678acea82bf51651ab

              SHA512

              c91c9134ba261a534a4838400bcbc2f9de9abd464222becf8d0487ec885f3be454fbe8156df83dfa5cf571d3a3033a2c61958af57335cf7bd74332d7d70ec989

            • memory/836-18-0x0000000074440000-0x0000000074B2E000-memory.dmp

              Filesize

              6.9MB

            • memory/836-1-0x0000000074440000-0x0000000074B2E000-memory.dmp

              Filesize

              6.9MB

            • memory/836-2-0x0000000004E20000-0x0000000004E60000-memory.dmp

              Filesize

              256KB

            • memory/836-3-0x00000000004E0000-0x0000000000500000-memory.dmp

              Filesize

              128KB

            • memory/836-4-0x0000000000600000-0x0000000000614000-memory.dmp

              Filesize

              80KB

            • memory/836-5-0x0000000004E60000-0x0000000004EDA000-memory.dmp

              Filesize

              488KB

            • memory/836-0-0x00000000003C0000-0x000000000046C000-memory.dmp

              Filesize

              688KB

            • memory/1468-19-0x000000006F2F0000-0x000000006F89B000-memory.dmp

              Filesize

              5.7MB

            • memory/1468-22-0x00000000028F0000-0x0000000002930000-memory.dmp

              Filesize

              256KB

            • memory/1468-24-0x000000006F2F0000-0x000000006F89B000-memory.dmp

              Filesize

              5.7MB

            • memory/1468-25-0x00000000028F0000-0x0000000002930000-memory.dmp

              Filesize

              256KB

            • memory/1468-27-0x000000006F2F0000-0x000000006F89B000-memory.dmp

              Filesize

              5.7MB

            • memory/2600-21-0x0000000002A70000-0x0000000002AB0000-memory.dmp

              Filesize

              256KB

            • memory/2600-20-0x000000006F2F0000-0x000000006F89B000-memory.dmp

              Filesize

              5.7MB

            • memory/2600-23-0x000000006F2F0000-0x000000006F89B000-memory.dmp

              Filesize

              5.7MB

            • memory/2600-26-0x0000000002A70000-0x0000000002AB0000-memory.dmp

              Filesize

              256KB

            • memory/2600-28-0x000000006F2F0000-0x000000006F89B000-memory.dmp

              Filesize

              5.7MB