598e01cb5243265105853c0c275853142f95f34a1f21f339903d26a5878ef6f4

Resubmissions

29-05-2024 05:32

240529-f8gpxach46 8

Analysis

max time kernel
1800s
max time network
1564s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-2024-SGL-014.exe
Size

729KB
MD5

d7bfd4fbd63b24a8848b0179ea7ad1e3
SHA1

d82909d8315d72f13e0800cf2c8b8d714a08d87e
SHA256

598e01cb5243265105853c0c275853142f95f34a1f21f339903d26a5878ef6f4
SHA512

dad5e88c8223f8544111bc362e6888a34777691d20b0946361b263837186a0236df63d4e3c4f9802f990e5e85481558426e658684dc8dd58af83f3cde47a3740
SSDEEP

12288:QnGihafKwYuHKtulnV9QVGRdGn6ZXfmZCdR28WPZ/krFExy/oK0jHbX+56ezb2uF:iuHQulVe6Gn6ZeDPSrWMQK0jHLRGjs45

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2572	powershell.exe
2144	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2464	1936	PO-2024-SGL-014.exe	35
PID 2464 set thread context of 1380	2464	RegSvcs.exe	21
PID 2464 set thread context of 2784	2464	RegSvcs.exe	36
PID 2784 set thread context of 1380	2784	iexpress.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	PO-2024-SGL-014.exe
1936	PO-2024-SGL-014.exe
1936	PO-2024-SGL-014.exe
1936	PO-2024-SGL-014.exe
2572	powershell.exe
2144	powershell.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2464	RegSvcs.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe
2784	iexpress.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2464	RegSvcs.exe
1380	Explorer.EXE
1380	Explorer.EXE
2784	iexpress.exe
2784	iexpress.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	PO-2024-SGL-014.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2144	1936	PO-2024-SGL-014.exe	28
PID 1936 wrote to memory of 2144	1936	PO-2024-SGL-014.exe	28
PID 1936 wrote to memory of 2144	1936	PO-2024-SGL-014.exe	28
PID 1936 wrote to memory of 2144	1936	PO-2024-SGL-014.exe	28
PID 1936 wrote to memory of 2572	1936	PO-2024-SGL-014.exe	30
PID 1936 wrote to memory of 2572	1936	PO-2024-SGL-014.exe	30
PID 1936 wrote to memory of 2572	1936	PO-2024-SGL-014.exe	30
PID 1936 wrote to memory of 2572	1936	PO-2024-SGL-014.exe	30
PID 1936 wrote to memory of 2744	1936	PO-2024-SGL-014.exe	32
PID 1936 wrote to memory of 2744	1936	PO-2024-SGL-014.exe	32
PID 1936 wrote to memory of 2744	1936	PO-2024-SGL-014.exe	32
PID 1936 wrote to memory of 2744	1936	PO-2024-SGL-014.exe	32
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2516	1936	PO-2024-SGL-014.exe	34
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1936 wrote to memory of 2464	1936	PO-2024-SGL-014.exe	35
PID 1380 wrote to memory of 2784	1380	Explorer.EXE	36
PID 1380 wrote to memory of 2784	1380	Explorer.EXE	36
PID 1380 wrote to memory of 2784	1380	Explorer.EXE	36
PID 1380 wrote to memory of 2784	1380	Explorer.EXE	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\PO-2024-SGL-014.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-2024-SGL-014.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO-2024-SGL-014.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWkeNiDbZOuBl.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWkeNiDbZOuBl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp387E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2464
- C:\Windows\SysWOW64\iexpress.exe
  "C:\Windows\SysWOW64\iexpress.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp387E.tmp

Filesize
1KB

MD5
ded32cfaab7e353a0fe986dcfe12e6b0

SHA1
4a26a17c3a709aa939dc9e148015f31ad43893d6

SHA256
9443e5b81ed98f31d9756e27d984e94d27ca073a4a8e1ed9f8b785d2002608cc

SHA512
4d7014caa1295a5cea34dc9d8c58bf9398406a30b3eb5db6d5f31d7db96352bf151a264af0c1249a466e8e0c63d6637072da207b5eb44071c393ee7d4e132adf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R2N84KQKYONFLEUCNQGP.temp

Filesize
7KB

MD5
51c8bf02abe4010af7c0beda2857ee73

SHA1
884dd26c46072d23fd6e2263c61eb9b5b9eb5b14

SHA256
44933a9552eeeb0ea29f72cd5720bb05e02dd5d23ee2c9db66e83e1565db5a3a

SHA512
6a999fbd1004430cb746ae6bed1476898cf46e3d0e7949663c1700f09caabd4169e48464232484f3722359d59f8ae806bccad3f080d8d557edd3238aa7a8ce74

Download Submit
memory/1380-26-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/1936-24-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-1-0x0000000000080000-0x000000000013A000-memory.dmp

Filesize
744KB

Download
memory/1936-3-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-2-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1936-4-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/1936-5-0x0000000005150000-0x00000000051DA000-memory.dmp

Filesize
552KB

Download
memory/1936-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2464-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-27-0x00000000000F0000-0x000000000012F000-memory.dmp

Filesize
252KB

Download
memory/2784-28-0x00000000000F0000-0x000000000012F000-memory.dmp

Filesize
252KB

Download