9cedd63af7cf5f325ab345e8b107f06545be0c5902935507c786870c537a9383

General

Target

PRICE REQUEST-717-26072023.exe
Size

585KB
MD5

dd3fba3f07cccaca8c79bcc64a2990d6
SHA1

561ee5c2a12d3336cf9c997bc50fe75ef097cbc0
SHA256

859ce543eead04b946a2d77d7d2a9342cfdfad1698fef1d442cb51fe6429eef2
SHA512

288a24d0f99e19bce4b63248a38456df39b82bb113bfa9359a108c6f90554394237480c452f3f80c22aa9470f81a226cad4173faf8fb1e0b8c1d9740fbd51b67
SSDEEP

12288:IlYifTjl00g/LqWMw0tdjpBfXZ7z2cJlh9j01U9w7wAtxYRWoHn3+:HiN9gDH0JpNX1z2cJlCU9wwu

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2764 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2764	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PRICE REQUEST-717-26072023.exepowershell.exe

pid	process
1432	PRICE REQUEST-717-26072023.exe
1432	PRICE REQUEST-717-26072023.exe
1432	PRICE REQUEST-717-26072023.exe
1432	PRICE REQUEST-717-26072023.exe
1432	PRICE REQUEST-717-26072023.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PRICE REQUEST-717-26072023.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1432 PRICE REQUEST-717-26072023.exe
Token: SeDebugPrivilege 2764 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1432	PRICE REQUEST-717-26072023.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

PRICE REQUEST-717-26072023.exe

C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe
"C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe
  "C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe
  "C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
  2⤵
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe
  "C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe
  "C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe
  "C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST-717-26072023.exe"
  2⤵
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/1432-1-0x00000000000C0000-0x0000000000158000-memory.dmp

Filesize
608KB

Download
memory/1432-2-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/1432-3-0x0000000001E30000-0x0000000001E4A000-memory.dmp

Filesize
104KB

Download
memory/1432-4-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1432-5-0x0000000004BA0000-0x0000000004C12000-memory.dmp

Filesize
456KB

Download
memory/1432-6-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1432 wrote to memory of 2764	1432	PRICE REQUEST-717-26072023.exe	powershell.exe
PID 1432 wrote to memory of 2764	1432	PRICE REQUEST-717-26072023.exe	powershell.exe
PID 1432 wrote to memory of 2764	1432	PRICE REQUEST-717-26072023.exe	powershell.exe
PID 1432 wrote to memory of 2764	1432	PRICE REQUEST-717-26072023.exe	powershell.exe
PID 1432 wrote to memory of 1264	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 1264	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 1264	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 1264	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2328	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2328	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2328	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2328	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2572	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2572	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2572	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2572	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2604	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2604	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2604	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2604	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2568	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2568	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2568	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe
PID 1432 wrote to memory of 2568	1432	PRICE REQUEST-717-26072023.exe	PRICE REQUEST-717-26072023.exe

Analysis

Sharing