962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82

General

Target

962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe
Size

1.3MB
MD5

ecb401c9fa0ac05a083f1c4f8e5574f3
SHA1

e1dfd9f1ac420c9745cb3c5038b4e7700f833cd1
SHA256

962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82
SHA512

82df527aff1dc2c3b3436bc74d6aa2e80d5aced5bbfd2d28b9b57730e9b515b6aa110e624a478e85e0c62892ec8de16135956a9d49f30605e1a85a8e68e2feda
SSDEEP

24576:54m9NhrLNaTKHECOK1kgyexjEP62ijXXrasO7T0fJvXHj:5TbhroOH4K1hxxjEP62iLe1GJv

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2676 powershell.exe
2616 powershell.exe

pid	process
2676	powershell.exe
2616	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe

description	pid	process	target process
PID 2656 set thread context of 2540	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2584 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2676 powershell.exe
2616 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2676 powershell.exe
Token: SeDebugPrivilege 2616 powershell.exe

pid	process
2584	schtasks.exe

pid	process
2676	powershell.exe
2616	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe

description	pid	process	target process
PID 2656 wrote to memory of 2676	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	powershell.exe
PID 2656 wrote to memory of 2676	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	powershell.exe
PID 2656 wrote to memory of 2676	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	powershell.exe
PID 2656 wrote to memory of 2616	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	powershell.exe
PID 2656 wrote to memory of 2616	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	powershell.exe
PID 2656 wrote to memory of 2616	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	powershell.exe
PID 2656 wrote to memory of 2584	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	schtasks.exe
PID 2656 wrote to memory of 2584	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	schtasks.exe
PID 2656 wrote to memory of 2584	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	schtasks.exe
PID 2656 wrote to memory of 2540	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	RegSvcs.exe
PID 2656 wrote to memory of 2540	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	RegSvcs.exe
PID 2656 wrote to memory of 2540	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	RegSvcs.exe
PID 2656 wrote to memory of 2540	2656	962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe	RegSvcs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe
"C:\Users\Admin\AppData\Local\Temp\962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\962439d7e488f53893e26592a324b2201371bbfb5b264a44e72d9ac6277f6f82.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qrUtSxv.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qrUtSxv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65B5.tmp"
2⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp65B5.tmp

Filesize
1KB

MD5
b4077149f636bc9c4a443d96ad7d72da

SHA1
35d50e111027594e946c8c592b8bc5c5153ef3c0

SHA256
04d8508864db89e2ba82521e96ef25d6a0e34030f7f693892234c2e5ddcd692a

SHA512
3a86bd67ee7a182d5df861153a15e767ed9d3d2357159ce4c22da0dd5a771cfa2d10d0068d08fb21a31885111313d1a30e67ccd8f77cb0fc9bff1fcf0df75368

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5bb17631cfce983a9efcef188d697804

SHA1
cfe4a4f16c273678e59cac72a970884961d3efe7

SHA256
d020cb215391e86be6b194d62569c5d797e10e36602360b5eed7cc47457c5a97

SHA512
c02d0fb9c2fa353e6925ddf119a5eac37999c0c58bd81aa5506fc2b5733a92cead23c04eceba9ffdca27bb37df0b79d5731fc7ebdf52abfcc8fce2aad257c7df

Download Submit
memory/2540-24-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2656-3-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/2656-4-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/2656-5-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2656-6-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2656-7-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2656-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2656-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-1-0x0000000000C40000-0x0000000000D88000-memory.dmp

Filesize
1.3MB

Download
memory/2656-25-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-22-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2676-23-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads