108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4

General

Target

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
Size

929KB
MD5

c5a8d5c579b01dde6496d426425c9e64
SHA1

2f66b4af4ae637fecda1d2a01dfc407137447722
SHA256

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4
SHA512

c327fa7f319186880d834ec5ee57009b205511db0486ccbb6da2fdb5eed416f7f82564381bdfadce19de27bb15fb2116ebe3ab98c27d425e9f876ecf79113dbb
SSDEEP

24576:4qi0xXW+9UgrA7TEZEDPpsuNFMAvKKyoZ8y7IC:Ri037rOoZ6BsuPM0KBoZ8yMC

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2524 powershell.exe
2612 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2520 schtasks.exe

pid	process
2524	powershell.exe
2612	powershell.exe

pid	process
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exepowershell.exepowershell.exe

pid	process
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2524	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uEizHLXGQSPJ.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEizHLXGQSPJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp"
2⤵
- Creates scheduled task(s)
PID:2520

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
2⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
2⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
2⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
2⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
2⤵
PID:2192

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp
Filesize
1KB

MD5
73d704778ffaa5a0d6bcc3f677f109ad

SHA1
1c85784ae2e4a0cba5fb9d98355cf7701f66c43f

SHA256
1e09e2aa38462b31847ec2c377584d02052bf965ef698958d3966ebe59c83447

SHA512
7589195088a33e2243b688924badcf8c91b6470678385ea54f6efcedc967266d62c62ffe6f066329a5aa7832362578b3f39dbe7352a6176d5f28502cf101ba52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FN72NG65M87HYV4E7R8S.temp
Filesize
7KB

MD5
2b39e7cdff7ea75a8de57680cdda2bfe

SHA1
a3768bcd523336f9ae8601eb7b5031c6e5dabac2

SHA256
74cb0afb196087f46f831683b3352129e521b6a373dfd96cd273233f693880e8

SHA512
fbad77cf08d5e2cca5cd84b86bf1485a6314705502dd129cd5d5e2330cab4cc5dec6c0f68ff8f71320662955f19810756e120e042a3aa4f26ad719685276daed

Download Submit
memory/2172-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x00000000003B0000-0x000000000049A000-memory.dmp

Filesize
936KB

Download
memory/2172-2-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-3-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2172-4-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2172-5-0x0000000005470000-0x0000000005530000-memory.dmp

Filesize
768KB

Download
memory/2172-18-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	powershell.exe
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	schtasks.exe
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	schtasks.exe
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	schtasks.exe
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	schtasks.exe
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads