7f9ba167029ed23e38b8ae095db4653f12f90fe4dc8adc85abbbbe9481de9e3a

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Grp Mn Installer.exe
Size

99.1MB
MD5

d70c6f8c5ae10a28222952a3f41bbacb
SHA1

6f1805f2bafbb8c261476118d11112624de39e65
SHA256

97324d678d270983b1a8941deed3a60e472d04e4feb641f1ca7e6cf8c5f1246b
SHA512

9fbcea4957532917ce0270a31858f9b2c9b0b9a90fb499076472d92bdffc58d153a02005d3923fe22a82898cdfced77cced10ea8894b56fbb2c7590c07ce433f
SSDEEP

786432:7k4k4k4k4k4k4k4k4k4k4k4k4k4k4k4k4k:7hhhhhhhhhhhhhhhh

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2992	3020	Grp Mn Installer.exe	28
PID 3020 wrote to memory of 2992	3020	Grp Mn Installer.exe	28
PID 3020 wrote to memory of 2992	3020	Grp Mn Installer.exe	28

C:\Users\Admin\AppData\Local\Temp\Grp Mn Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Grp Mn Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2992-5-0x000007FEF559E000-0x000007FEF559F000-memory.dmp

Filesize
4KB

Download
memory/2992-6-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2992-7-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2992-8-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-9-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-11-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-10-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-13-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-12-0x0000000002CB4000-0x0000000002CB7000-memory.dmp

Filesize
12KB

Download
memory/3020-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3020-14-0x0000000001190000-0x000000000177A000-memory.dmp

Filesize
5.9MB

Download