60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d

General

Target

60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
Size

666KB
MD5

8b67eaaa3b2743e270b215364a52f304
SHA1

71ce337b39795fae99bd7ffa0d86a9018646b1cc
SHA256

60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d
SHA512

8c18a08130420e9273f83636fa9d742fd63ca99fc7210e4ed95c0fc4a13c046b6290c3af5da31e2680324793a1bce0f291f080a5b8a164db3a27058aa3ffccfe
SSDEEP

12288:F1BYvTv5zLTIkO9X82Y3f6D+V3CTlTH8RpCQxaPrZ/43hr1OpH5D0:FovT1/IR9+PuQc+txKR4OpH5

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2604 powershell.exe
2792 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2724 schtasks.exe

pid	process
2604	powershell.exe
2792	powershell.exe

pid	process
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exepowershell.exepowershell.exe

pid	process
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
2604	powershell.exe
2792	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe

C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\klkxvVGODrsBf.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\klkxvVGODrsBf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp"
2⤵
- Creates scheduled task(s)
PID:2724

C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
2⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
2⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
2⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
2⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe"
2⤵
PID:2892

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp
Filesize
1KB

MD5
7431541b24a7282c7f592816fac1901b

SHA1
69cc0d70a7d84f2fe005419a47f229f2f59d54d8

SHA256
808394dd1cf149c9c229169149381cd7dbdb3ed8a6eab8e4e9417b3ac601a4e5

SHA512
357fd8ad98d9ab907f29e64cd7e9d2077a86f6d680acb9aeb36bb20a28bec7f97b1c6daef132d530697818b3bb2b2effd6db769b000a50a5d72fa1bb36fbdaa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IV57W4MI1AUISDHV34P4.temp
Filesize
7KB

MD5
607c901b4634b88872995f53ecaa52f4

SHA1
c86b22c5fcf925a61996e2c3f21f98aaeb75b23f

SHA256
2bccfdb0982eefec8960bc30a6fbd735214914c7d9f24ca6348f00b60d8a99b5

SHA512
40fac59ba72541d4ab51ad2ecbd66502c8fab62946b0ad6d379fcb95601f8cf66596fc4f4a602c1760af9bcdd2c2c8e7df15ecdcefb8468cd54f4794a8521315

Download Submit
memory/1740-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x00000000003E0000-0x000000000048C000-memory.dmp

Filesize
688KB

Download
memory/1740-2-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-3-0x0000000004F00000-0x0000000004FA0000-memory.dmp

Filesize
640KB

Download
memory/1740-4-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/1740-5-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1740-6-0x0000000005330000-0x00000000053B2000-memory.dmp

Filesize
520KB

Download
memory/1740-19-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1740 wrote to memory of 2604	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2604	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2604	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2604	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2792	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2792	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2792	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2792	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	powershell.exe
PID 1740 wrote to memory of 2724	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	schtasks.exe
PID 1740 wrote to memory of 2724	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	schtasks.exe
PID 1740 wrote to memory of 2724	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	schtasks.exe
PID 1740 wrote to memory of 2724	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	schtasks.exe
PID 1740 wrote to memory of 2528	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2528	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2528	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2528	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2016	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2016	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2016	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2016	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2896	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2896	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2896	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2896	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2960	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2960	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2960	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2960	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2892	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2892	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2892	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe
PID 1740 wrote to memory of 2892	1740	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe	60ea13ca5f6f7c00c959c098387a8d6a9425f2498ec02ad4d66a856f01acc34d.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads