ee6612c011e68b93d85640b5fb919148af358998be27cab54333b0d6c6b8709f

General

Target

po8909893299832.exe
Size

612KB
MD5

8c2635e6c2804ace5c6fa487f5e23a87
SHA1

334e05486efda6725b100a9365d5017aefb90e22
SHA256

d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
SHA512

25b40d504047bd3001303c59c72756d7174dc3b0e9731045e2a4cd57907333f4203ab8f2de3f4b99fb96c6ef5217dae764bfcca980583f7375a39714b78dffe6
SSDEEP

12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2636 powershell.exe
2500 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2540 schtasks.exe

pid	process
2636	powershell.exe
2500	powershell.exe

pid	process
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

po8909893299832.exepowershell.exepowershell.exe

pid	process
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2996	po8909893299832.exe
2636	powershell.exe
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

po8909893299832.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2996	po8909893299832.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

po8909893299832.exe

description	pid	process	target process
PID 2996 wrote to memory of 2636	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2636	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2636	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2636	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2500	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2500	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2500	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2500	2996	po8909893299832.exe	powershell.exe
PID 2996 wrote to memory of 2540	2996	po8909893299832.exe	schtasks.exe
PID 2996 wrote to memory of 2540	2996	po8909893299832.exe	schtasks.exe
PID 2996 wrote to memory of 2540	2996	po8909893299832.exe	schtasks.exe
PID 2996 wrote to memory of 2540	2996	po8909893299832.exe	schtasks.exe
PID 2996 wrote to memory of 112	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 112	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 112	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 112	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1320	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1320	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1320	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1320	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 720	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 720	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 720	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 720	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1060	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1060	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1060	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1060	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1868	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1868	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1868	2996	po8909893299832.exe	po8909893299832.exe
PID 2996 wrote to memory of 1868	2996	po8909893299832.exe	po8909893299832.exe

C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
"C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\InXlDTKncKkCk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\InXlDTKncKkCk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1526.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:112
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:720
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe
  "C:\Users\Admin\AppData\Local\Temp\po8909893299832.exe"
  2⤵
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1526.tmp

Filesize
1KB

MD5
c5a50094400f950dd0d3a75b973e9c92

SHA1
b855e8b8aa6a72c5d0a2a48ed1d3da9902f32f0e

SHA256
f40311f8155ef3abfe80ca0aa007a1458a727072592694d6f7e8c594caca618d

SHA512
5ed5a7c0f12cc09625a4f4748c9f5fa4df6c77195e2dface189d0899efc3bf19a433f3e6fd831a37e80d818e244522f9506f19275f9273535966dcda2191786a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7184bbd1ff104eb67ae68b63577aef38

SHA1
f1ff5b9b6510f4d5d61c2d7330a5ecbf93f32a42

SHA256
2095a877016aefdfa7b8539017408f49b83853129f28f64b4a79a29a16cecfb3

SHA512
2e32e7d03d261b18711338425ca2eeba073ba3b4f513e0d992ccfc04e6c475a4456d4ec04372b274efb37b3d688aadefb98d78360622706444686251ba364cca

Download Submit
memory/2996-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/2996-1-0x0000000000200000-0x000000000029C000-memory.dmp

Filesize
624KB

Download
memory/2996-2-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-3-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2996-4-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2996-5-0x00000000052B0000-0x0000000005326000-memory.dmp

Filesize
472KB

Download
memory/2996-6-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/2996-7-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-20-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads