970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683

General

Target

970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe
Size

819KB
MD5

12b9b84dad30fa72eb661f353b61e734
SHA1

4fd8377e65e1cafa730ddb07d99ba64774b979f8
SHA256

970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683
SHA512

39b7023a8174107ab77340bbec44cce8f047149acc9fa1bc520ce856433e2b5a4b2a93e45a7c406cc2387dba1b44a9258bae6236fa7b781ee7758e3ac63bbf45
SSDEEP

24576:7p7C3c6H8re+rb6LRFbl5KPotfdGTZdMgtY+VTQC:7pAyrOLR9l5KYfkddMgtY+VTQ

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2616	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2416 set thread context of 1200	2416	MSBuild.exe	21
PID 2416 set thread context of 2320	2416	MSBuild.exe	35
PID 2320 set thread context of 1200	2320	bitsadmin.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2616	powershell.exe
2416	MSBuild.exe
2416	MSBuild.exe
2416	MSBuild.exe
2416	MSBuild.exe
2416	MSBuild.exe
2416	MSBuild.exe
2416	MSBuild.exe
2416	MSBuild.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe
2320	bitsadmin.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2416	MSBuild.exe
1200	Explorer.EXE
1200	Explorer.EXE
2320	bitsadmin.exe
2320	bitsadmin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2616	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	28
PID 2264 wrote to memory of 2616	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	28
PID 2264 wrote to memory of 2616	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	28
PID 2264 wrote to memory of 2616	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	28
PID 2264 wrote to memory of 2768	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	30
PID 2264 wrote to memory of 2768	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	30
PID 2264 wrote to memory of 2768	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	30
PID 2264 wrote to memory of 2768	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	30
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 2264 wrote to memory of 2416	2264	970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe	32
PID 1200 wrote to memory of 2320	1200	Explorer.EXE	35
PID 1200 wrote to memory of 2320	1200	Explorer.EXE	35
PID 1200 wrote to memory of 2320	1200	Explorer.EXE	35
PID 1200 wrote to memory of 2320	1200	Explorer.EXE	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe
  "C:\Users\Admin\AppData\Local\Temp\970e42e01f0a5e0ae87a79fb209acae605eefa6c168c8008fbc9f544e405b683.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UNuFErjY.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNuFErjY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3524.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2416
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\SysWOW64\bitsadmin.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3524.tmp

Filesize
1KB

MD5
aaa4b0d0d4a89aeb321eb0a3c96c60a8

SHA1
a49bdec4e8565a57a1f21aa66306074b4188966e

SHA256
f340d2c95d06d158de1aa7bef23bb904aa094fd357fad22566b27b0a45b04966

SHA512
c4741fb61a8ceab1efd8bf146d5dce33915188d620792c9602a59de9846009940aeea99184e4a77711113986ab6799a7389290e575f0c28e808fc0189abac935

Download Submit
memory/1200-22-0x0000000003CB0000-0x0000000003DB0000-memory.dmp

Filesize
1024KB

Download
memory/2264-20-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-1-0x0000000000A40000-0x0000000000B12000-memory.dmp

Filesize
840KB

Download
memory/2264-5-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/2264-4-0x0000000001F20000-0x0000000001F2E000-memory.dmp

Filesize
56KB

Download
memory/2264-6-0x0000000004630000-0x00000000046BA000-memory.dmp

Filesize
552KB

Download
memory/2264-2-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-0-0x000000007420E000-0x000000007420F000-memory.dmp

Filesize
4KB

Download
memory/2264-3-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/2320-24-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2320-23-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2416-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads