631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f

General

Target

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
Size

735KB
MD5

67e8394308a06ffee627c77b7d3d16ea
SHA1

e0d9daad8296d2f757cc442d1d1f1302d7aec13b
SHA256

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f
SHA512

2081ce36d917c75157c9c2be12dfee62ea7ffee18c809eee51c7415e5ef9b1868398f2d95412b71a7d2e5d1d24570513d6a5f242f67a30744ef9ca6a401bf48a
SSDEEP

12288:IWEY5/l9s22BEEzFatnMwpOl555EQK+AlkKr0HBZR6ZUlo8if:gA/l9s3BEWwpOz55/K+Alk0IeUloP

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2792 powershell.exe

pid	process
2792	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe

description	pid	process	target process
PID 864 set thread context of 3972	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2704 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exepowershell.exe

pid process

864 631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
2792 powershell.exe
2792 powershell.exe

pid	process
2704	schtasks.exe

pid	process
864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
2792	powershell.exe
2792	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
Token: SeDebugPrivilege	2792	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe

description	pid	process	target process
PID 864 wrote to memory of 2792	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	powershell.exe
PID 864 wrote to memory of 2792	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	powershell.exe
PID 864 wrote to memory of 2704	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	schtasks.exe
PID 864 wrote to memory of 2704	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	schtasks.exe
PID 864 wrote to memory of 3972	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
PID 864 wrote to memory of 3972	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
PID 864 wrote to memory of 3972	864	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe	631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
"C:\Users\Admin\AppData\Local\Temp\631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mZpTaf.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZpTaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64B5.tmp"
2⤵
- Creates scheduled task(s)
PID:2704

C:\Users\Admin\AppData\Local\Temp\631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
C:\Users\Admin\AppData\Local\Temp\631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f.exe
2⤵
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgohn25v.wkm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64B5.tmp
Filesize
1KB

MD5
ae1cbe34aa910a71896a9bfd69cd1a44

SHA1
0585695a32301bf1b6d886aeb1416f21c3f59b38

SHA256
b6e30416051eaa6651fa54728c21de919344984bc36b9c9b41f9ab94e7af2522

SHA512
bb83a36b5abe5e6b112b4307aaeb568d3b7ae75f0154120263a80e4a7f1b4ff37021a190039a8e38b6af9775d86d3bbeb0ed781a1b206b9fbe51b4125b7835b9

Download Submit
memory/864-3-0x0000000002BE0000-0x0000000002BFC000-memory.dmp

Filesize
112KB

Download
memory/864-0-0x00007FFE39C23000-0x00007FFE39C25000-memory.dmp

Filesize
8KB

Download
memory/864-4-0x0000000002C00000-0x0000000002C14000-memory.dmp

Filesize
80KB

Download
memory/864-5-0x000000001CE60000-0x000000001CEE0000-memory.dmp

Filesize
512KB

Download
memory/864-2-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmp

Filesize
10.8MB

Download
memory/864-1-0x00000000000C0000-0x000000000017C000-memory.dmp

Filesize
752KB

Download
memory/864-24-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2792-10-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2792-11-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2792-13-0x00000257CC730000-0x00000257CC752000-memory.dmp

Filesize
136KB

Download
memory/2792-27-0x00007FFE39C20000-0x00007FFE3A6E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads