108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
Size

929KB
MD5

c5a8d5c579b01dde6496d426425c9e64
SHA1

2f66b4af4ae637fecda1d2a01dfc407137447722
SHA256

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4
SHA512

c327fa7f319186880d834ec5ee57009b205511db0486ccbb6da2fdb5eed416f7f82564381bdfadce19de27bb15fb2116ebe3ab98c27d425e9f876ecf79113dbb
SSDEEP

24576:4qi0xXW+9UgrA7TEZEDPpsuNFMAvKKyoZ8y7IC:Ri037rOoZ6BsuPM0KBoZ8yMC

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe
2612	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
2524	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	28
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	28
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	28
PID 2172 wrote to memory of 2524	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	28
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	30
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	30
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	30
PID 2172 wrote to memory of 2612	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	30
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	32
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	32
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	32
PID 2172 wrote to memory of 2520	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	32
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	34
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	34
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	34
PID 2172 wrote to memory of 2712	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	34
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	35
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	35
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	35
PID 2172 wrote to memory of 2420	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	35
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	36
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	36
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	36
PID 2172 wrote to memory of 2196	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	36
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	37
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	37
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	37
PID 2172 wrote to memory of 2508	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	37
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	38
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	38
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	38
PID 2172 wrote to memory of 2192	2172	108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe	38

C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
"C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uEizHLXGQSPJ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEizHLXGQSPJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
  "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
  "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
  "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
  2⤵
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
  "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
  2⤵
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe
  "C:\Users\Admin\AppData\Local\Temp\108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4.exe"
  2⤵
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp

Filesize
1KB

MD5
73d704778ffaa5a0d6bcc3f677f109ad

SHA1
1c85784ae2e4a0cba5fb9d98355cf7701f66c43f

SHA256
1e09e2aa38462b31847ec2c377584d02052bf965ef698958d3966ebe59c83447

SHA512
7589195088a33e2243b688924badcf8c91b6470678385ea54f6efcedc967266d62c62ffe6f066329a5aa7832362578b3f39dbe7352a6176d5f28502cf101ba52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FN72NG65M87HYV4E7R8S.temp

Filesize
7KB

MD5
2b39e7cdff7ea75a8de57680cdda2bfe

SHA1
a3768bcd523336f9ae8601eb7b5031c6e5dabac2

SHA256
74cb0afb196087f46f831683b3352129e521b6a373dfd96cd273233f693880e8

SHA512
fbad77cf08d5e2cca5cd84b86bf1485a6314705502dd129cd5d5e2330cab4cc5dec6c0f68ff8f71320662955f19810756e120e042a3aa4f26ad719685276daed

Download Submit
memory/2172-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x00000000003B0000-0x000000000049A000-memory.dmp

Filesize
936KB

Download
memory/2172-2-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-3-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/2172-4-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2172-5-0x0000000005470000-0x0000000005530000-memory.dmp

Filesize
768KB

Download
memory/2172-18-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download