ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
Size

521KB
MD5

1b275f5b53b912b6f9f4944b426471a9
SHA1

e8fd9fec2eec13035730944c892ade741a663b84
SHA256

ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700
SHA512

09c35ad2425ca3abdf06b81aadd0bda5048c3f8ea117c1fb1184a9eee7fdd77391af018a8a79bcf7d8c9937dc97e17e8ce54a8d5e6ace6699460a420b510ef12
SSDEEP

12288:jKclV/xG9Ud3ckOitZmw0gaGhZnzdU4r0:+M0rkhZnzdU4r

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
1212	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
2160	powershell.exe
1212	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2160	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	30
PID 1688 wrote to memory of 2160	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	30
PID 1688 wrote to memory of 2160	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	30
PID 1688 wrote to memory of 2160	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	30
PID 1688 wrote to memory of 1212	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	32
PID 1688 wrote to memory of 1212	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	32
PID 1688 wrote to memory of 1212	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	32
PID 1688 wrote to memory of 1212	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	32
PID 1688 wrote to memory of 1952	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	34
PID 1688 wrote to memory of 1952	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	34
PID 1688 wrote to memory of 1952	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	34
PID 1688 wrote to memory of 1952	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	34
PID 1688 wrote to memory of 2804	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	36
PID 1688 wrote to memory of 2804	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	36
PID 1688 wrote to memory of 2804	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	36
PID 1688 wrote to memory of 2804	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	36
PID 1688 wrote to memory of 1124	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	37
PID 1688 wrote to memory of 1124	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	37
PID 1688 wrote to memory of 1124	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	37
PID 1688 wrote to memory of 1124	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	37
PID 1688 wrote to memory of 1236	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	38
PID 1688 wrote to memory of 1236	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	38
PID 1688 wrote to memory of 1236	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	38
PID 1688 wrote to memory of 1236	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	38
PID 1688 wrote to memory of 856	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	39
PID 1688 wrote to memory of 856	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	39
PID 1688 wrote to memory of 856	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	39
PID 1688 wrote to memory of 856	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	39
PID 1688 wrote to memory of 1492	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	40
PID 1688 wrote to memory of 1492	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	40
PID 1688 wrote to memory of 1492	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	40
PID 1688 wrote to memory of 1492	1688	ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe	40

C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
"C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LJHZOp.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJHZOp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE965.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
  "C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
  "C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
  2⤵
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
  "C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
  "C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
  2⤵
  PID:856
- C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe
  "C:\Users\Admin\AppData\Local\Temp\ed444e4abc5aa906302b3e79ca09c94b8320e23af176384799a2020344de4700.exe"
  2⤵
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE965.tmp

Filesize
1KB

MD5
42fca77ac30654cb83fb8acd0989488e

SHA1
e7f68650aebff7988c930f44481b95603ac4cb03

SHA256
ab27b062605443080ab0af347e1a22526c368e4b4f596e7c55f634d58e86a750

SHA512
0bf5dece9783632f0e9ca187e2daa25ee18c73ebcbfdc0ecc2de2b37535193591c9ae27e937f4184475a67ddfcd11fc9abb640b9f3d2d4ba8bbc00c373cbd803

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d18c8e0afbe332282e9a9507338e403d

SHA1
648a06fa31e457caa8476aa1061f5b2fadae238a

SHA256
a915fd6f0cea6c12965b05e31393372a1d3375f4d1a82e69164cfafa30d3b0fb

SHA512
a1770d11216beb94bcd5570c09856abb5c34fa48beec8980a3561a2ca53091d6c40f3573ee86f875c99ff3f094bfc0b1ba80464fa078f80f434111a0795228d6

Download Submit
memory/1688-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x00000000002D0000-0x0000000000358000-memory.dmp

Filesize
544KB

Download
memory/1688-2-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-3-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/1688-4-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1688-5-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1688-6-0x00000000041E0000-0x0000000004242000-memory.dmp

Filesize
392KB

Download
memory/1688-7-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1688-20-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download