ee6612c011e68b93d85640b5fb919148af358998be27cab54333b0d6c6b8709f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

po8909893299832.exe
Size

612KB
MD5

8c2635e6c2804ace5c6fa487f5e23a87
SHA1

334e05486efda6725b100a9365d5017aefb90e22
SHA256

d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
SHA512

25b40d504047bd3001303c59c72756d7174dc3b0e9731045e2a4cd57907333f4203ab8f2de3f4b99fb96c6ef5217dae764bfcca980583f7375a39714b78dffe6
SSDEEP

12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2396	powershell.exe
2860	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
3032	po8909893299832.exe
2860	powershell.exe
2396	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	po8909893299832.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2396	3032	po8909893299832.exe	30
PID 3032 wrote to memory of 2396	3032	po8909893299832.exe	30
PID 3032 wrote to memory of 2396	3032	po8909893299832.exe	30
PID 3032 wrote to memory of 2396	3032	po8909893299832.exe	30
PID 3032 wrote to memory of 2860	3032	po8909893299832.exe	32
PID 3032 wrote to memory of 2860	3032	po8909893299832.exe	32
PID 3032 wrote to memory of 2860	3032	po8909893299832.exe	32
PID 3032 wrote to memory of 2860	3032	po8909893299832.exe	32
PID 3032 wrote to memory of 2980	3032	po8909893299832.exe	33
PID 3032 wrote to memory of 2980	3032	po8909893299832.exe	33
PID 3032 wrote to memory of 2980	3032	po8909893299832.exe	33
PID 3032 wrote to memory of 2980	3032	po8909893299832.exe	33
PID 3032 wrote to memory of 2436	3032	po8909893299832.exe	36
PID 3032 wrote to memory of 2436	3032	po8909893299832.exe	36
PID 3032 wrote to memory of 2436	3032	po8909893299832.exe	36
PID 3032 wrote to memory of 2436	3032	po8909893299832.exe	36
PID 3032 wrote to memory of 2444	3032	po8909893299832.exe	37
PID 3032 wrote to memory of 2444	3032	po8909893299832.exe	37
PID 3032 wrote to memory of 2444	3032	po8909893299832.exe	37
PID 3032 wrote to memory of 2444	3032	po8909893299832.exe	37
PID 3032 wrote to memory of 1928	3032	po8909893299832.exe	38
PID 3032 wrote to memory of 1928	3032	po8909893299832.exe	38
PID 3032 wrote to memory of 1928	3032	po8909893299832.exe	38
PID 3032 wrote to memory of 1928	3032	po8909893299832.exe	38
PID 3032 wrote to memory of 1768	3032	po8909893299832.exe	39
PID 3032 wrote to memory of 1768	3032	po8909893299832.exe	39
PID 3032 wrote to memory of 1768	3032	po8909893299832.exe	39
PID 3032 wrote to memory of 1768	3032	po8909893299832.exe	39
PID 3032 wrote to memory of 2668	3032	po8909893299832.exe	40
PID 3032 wrote to memory of 2668	3032	po8909893299832.exe	40
PID 3032 wrote to memory of 2668	3032	po8909893299832.exe	40
PID 3032 wrote to memory of 2668	3032	po8909893299832.exe	40

C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
"C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\InXlDTKncKkCk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2BA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD2BA.tmp

Filesize
1KB

MD5
1321cc8e0adf4c62bc90a42694ed1d19

SHA1
1752a61d662aeca677bc8a1f2a36a7f6b972184e

SHA256
f5f08fd45d8d9a341a22e5b77b03719bfc0d465bed40ae923d393a14599a0f1f

SHA512
235805306039a152c33ec29700520800b5275ff68c10f4c09c4a9e1d8cbb76f5f3e04199f913303abad8f14122405bffb5a829ad99005dfe1adadacb780053f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8eaec813e7cd56dba997e2667935cf44

SHA1
6a049d72c8285cf2d8256eebcd9ef3cc85eb4ad5

SHA256
5545c5ad997c6ef44438b57a4a70db51588440fba13dd883b78a094cef26454d

SHA512
def97824cbaf728352dd0c6055a982d2e74e3caf9c5f3869185b42620e83ee2ddc60bf09b9a90fb34c343a42a485311b175df1c2c19fd9a1c01d70b2d3818e41

Download Submit
memory/3032-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000000220000-0x00000000002BC000-memory.dmp

Filesize
624KB

Download
memory/3032-2-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-3-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/3032-4-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/3032-5-0x00000000046D0000-0x0000000004746000-memory.dmp

Filesize
472KB

Download
memory/3032-6-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/3032-7-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-20-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download