Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 08:34
Static task
static1
Behavioral task
behavioral1
Sample
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe
Resource
win7-20240508-en
General
-
Target
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe
-
Size
745KB
-
MD5
48ba8c1d6e9081bfb88c1988ce9e1b94
-
SHA1
4258ca2ef7d11d6dc1f56127118685e838f84085
-
SHA256
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24
-
SHA512
dcbdc1e789feb41c8dffbb06e79e16bb9469681c7785a580988987080635f1a68b68c6c8262bc3b7786fc3c4bb0ea5fe1fd4056d62b09f2b45e94281d836eba8
-
SSDEEP
12288:MOriJsEuLO0bCk1mtIXrQ3qCT6YTZpCMMsyqUzrCkjb7dGA+2VCMWMXEAmD:6PuLOu7MyXu96Cv3yqUzrrn7dGlCCrq
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2620 powershell.exe 2792 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 2620 powershell.exe 2792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 28 PID 2072 wrote to memory of 2620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 28 PID 2072 wrote to memory of 2620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 28 PID 2072 wrote to memory of 2620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 28 PID 2072 wrote to memory of 2792 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 30 PID 2072 wrote to memory of 2792 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 30 PID 2072 wrote to memory of 2792 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 30 PID 2072 wrote to memory of 2792 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 30 PID 2072 wrote to memory of 2628 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 31 PID 2072 wrote to memory of 2628 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 31 PID 2072 wrote to memory of 2628 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 31 PID 2072 wrote to memory of 2628 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 31 PID 2072 wrote to memory of 1620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 34 PID 2072 wrote to memory of 1620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 34 PID 2072 wrote to memory of 1620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 34 PID 2072 wrote to memory of 1620 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 34 PID 2072 wrote to memory of 2872 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 35 PID 2072 wrote to memory of 2872 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 35 PID 2072 wrote to memory of 2872 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 35 PID 2072 wrote to memory of 2872 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 35 PID 2072 wrote to memory of 2940 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 36 PID 2072 wrote to memory of 2940 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 36 PID 2072 wrote to memory of 2940 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 36 PID 2072 wrote to memory of 2940 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 36 PID 2072 wrote to memory of 2520 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 37 PID 2072 wrote to memory of 2520 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 37 PID 2072 wrote to memory of 2520 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 37 PID 2072 wrote to memory of 2520 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 37 PID 2072 wrote to memory of 1960 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 38 PID 2072 wrote to memory of 1960 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 38 PID 2072 wrote to memory of 1960 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 38 PID 2072 wrote to memory of 1960 2072 06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iqdSDNHzekt.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqdSDNHzekt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8324.tmp"2⤵
- Creates scheduled task(s)
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"2⤵PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"2⤵PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"2⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"2⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"C:\Users\Admin\AppData\Local\Temp\06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe"2⤵PID:1960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5670dfd56e2113b7fcd8ac5c6b84e815d
SHA1d9c42fe1ea8aeb4f2be38644f30e977b860d3567
SHA2561598a161f4dd998521f5f2bb9824fd1e5a46101be57f8c3cfa19f5589c55a2ad
SHA512f1978d5845802dddfc12e215273e4615f573b9a857bf822f1b472e8d9afbbc16d16a661f5ac3bb6135438c075b011ce0029e52f14ba94ff230bfa4c91b078157
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RHQONB72H7I4PAZL7D23.temp
Filesize7KB
MD596196fab150f115c3a05a00bbc30a17e
SHA1fe2b6a657daaabb4259d6b084ffe8a8507a54132
SHA256d4b3783ea09e1b4cd9bcda0f6a2e05fb2c36384902d6df6723e2edd8b8919c48
SHA512a29325742ea708ebe5b1555b0ed6b0fa588c75d2b659f449669e20027cca9d8c53ef39acf2eb4d84cc03dceaee173ae7c41c94bcc3120cdd0269bd8efa3be3b3