8ba0d4d313a7c67b7f9113bc7b26647b251fcea6a9efee3f05dcb88f249efd15

General

Target

rFACTURARECTIFICATIVA.scr.exe
Size

681KB
MD5

722933abdf7d14140b75416407ab022f
SHA1

62bf1ea28e5d5c1ca43f969b6850da2529c8eba6
SHA256

8ba0d4d313a7c67b7f9113bc7b26647b251fcea6a9efee3f05dcb88f249efd15
SHA512

cd4d80f308c19ccd628d044042b30a24a63e075f50242d4623ec1331708e14d71ebb4811fe2a236612bb67090bc383e05e0817e938120d8566eacfa8764759f5
SSDEEP

12288:XLz/RiAIB6LhDrqDpEkvD5drAA+nBV+j5sMeKW6U8h/tLVlDIF6pj1KbIO4kR:7zZfIaedr7AA4S5kj03JIFc1S

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2396 powershell.exe
2736 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2656 schtasks.exe

pid	process
2396	powershell.exe
2736	powershell.exe

pid	process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

rFACTURARECTIFICATIVA.scr.exepowershell.exepowershell.exe

pid	process
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2108	rFACTURARECTIFICATIVA.scr.exe
2396	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rFACTURARECTIFICATIVA.scr.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2108	rFACTURARECTIFICATIVA.scr.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

rFACTURARECTIFICATIVA.scr.exe

description	pid	process	target process
PID 2108 wrote to memory of 2396	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2396	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2396	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2396	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2736	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2736	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2736	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2736	2108	rFACTURARECTIFICATIVA.scr.exe	powershell.exe
PID 2108 wrote to memory of 2656	2108	rFACTURARECTIFICATIVA.scr.exe	schtasks.exe
PID 2108 wrote to memory of 2656	2108	rFACTURARECTIFICATIVA.scr.exe	schtasks.exe
PID 2108 wrote to memory of 2656	2108	rFACTURARECTIFICATIVA.scr.exe	schtasks.exe
PID 2108 wrote to memory of 2656	2108	rFACTURARECTIFICATIVA.scr.exe	schtasks.exe
PID 2108 wrote to memory of 2852	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2852	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2852	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2852	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2780	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2780	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2780	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2780	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2756	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2756	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2756	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2756	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 1976	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 1976	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 1976	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 1976	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2672	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2672	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2672	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe
PID 2108 wrote to memory of 2672	2108	rFACTURARECTIFICATIVA.scr.exe	rFACTURARECTIFICATIVA.scr.exe

C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wizxKKeZE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wizxKKeZE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4894.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
  2⤵
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
  2⤵
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURARECTIFICATIVA.scr.exe"
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4894.tmp

Filesize
1KB

MD5
191ecc63a085b511046669efc581b6df

SHA1
12b650c638dd0314b9a5f6df7c37bc207fa091cb

SHA256
81015a1b9f0c9def1cf62276c3a017ac8530659e8069edd9a8dff26ca52d60b3

SHA512
61d95c5fb93afaf63848cf2f52d63161b425ee5c6ae2c3b7acfdd6d76a728d4aba725edf4fa72ca505505a06fa0d77a545b7d822616dc457e7b2baee2217bc0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZZKNN9B8YX4NUTQ3PC01.temp

Filesize
7KB

MD5
2d85275c0606e48876ef210726bb2eb7

SHA1
747c8b78a93e7c0ea924fd8ea38ec6db49d5040b

SHA256
66b6ff1db22ee6e1fd546a8a9c78574f5df9c5231d61376f037f1f334deb8e3a

SHA512
65e4254c01906b64f91832d135efa141443768de67847a712b2e448683861c715a2777f774f5795cb43144d63c858aea408184e7f104d5e815b9885a3170408f

Download Submit
memory/2108-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2108-1-0x00000000003B0000-0x000000000045C000-memory.dmp

Filesize
688KB

Download
memory/2108-2-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-3-0x0000000004A60000-0x0000000004B00000-memory.dmp

Filesize
640KB

Download
memory/2108-4-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/2108-5-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2108-6-0x0000000005380000-0x0000000005402000-memory.dmp

Filesize
520KB

Download
memory/2108-19-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads