d6291f04688e967d0b4eb08effefcf3de896b2511684b5f57dd7bdb6a2921404

General

Target

c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
Size

713KB
MD5

3599fa63d78413242a88966d3b4b14ef
SHA1

44526b00e847d9a16908c79f72dab1af4a2edf29
SHA256

c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
SHA512

e04604e58c9a0eb4e6bbea99d59295463cb9058f82c2527502acb6fe47989fc4f72b69338bb66ca5c5fc5a62d785fb65fcd4eb272a6136a1c240592076845d73
SSDEEP

12288:vV9E8GILjWLWg/yvjaRBv5MIorus1IPI4AMqoYg/6vXdW1JeSel43qiukR:7cam5MI+TIPuM//CXd+JWl46i1

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2776 powershell.exe
2584 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2580 schtasks.exe

pid	process
2776	powershell.exe
2584	powershell.exe

pid	process
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exepowershell.exepowershell.exe

pid	process
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
2776	powershell.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
2584	powershell.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe

C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
"C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TmfmVKU.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmfmVKU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD53A.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
"C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
2⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
"C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
2⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
"C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
2⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
"C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
2⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
"C:\Users\Admin\AppData\Local\Temp\c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe"
2⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD53A.tmp

Filesize
1KB

MD5
84949fe08bade6012fe9c851d5462a19

SHA1
e358f6b615c2a255d4b6e4693e5e2c09a03b312c

SHA256
030769d8325db623853455e504060222931d41697f37ad262eef769296e7fd3f

SHA512
21d9ace45bb9d11d824a94c4218ccd81aa04a34a0026b9ca8929b60ade8dc5e90953dd2edd3b107d9f5e08279bc92cfd60ea4d2eb6e4f8667837ef7282436fa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fb4f4a3d8e862772c6054abef028d17c

SHA1
218fb9b5122aca84260d7001837fd2a03e26d40b

SHA256
3fe9b1d17247d9287badb71764fd90d0aeef9af3d46610cf453d6b209d6eae5d

SHA512
754c081000dfe300eed3f190d75df6fde3d309cb6ad5ac2d96822738e4b834b4a9a908a4bd29ba6437a2b6b395ec3e14aad4f4b389e3a621f4df6e68150e6a67

Download Submit
memory/1656-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000000350000-0x0000000000404000-memory.dmp

Filesize
720KB

Download
memory/1656-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-3-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/1656-4-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/1656-5-0x0000000004F20000-0x0000000004F80000-memory.dmp

Filesize
384KB

Download
memory/1656-18-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1656 wrote to memory of 2776	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2776	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2776	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2776	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2584	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2584	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2584	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2584	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	powershell.exe
PID 1656 wrote to memory of 2580	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	schtasks.exe
PID 1656 wrote to memory of 2580	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	schtasks.exe
PID 1656 wrote to memory of 2580	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	schtasks.exe
PID 1656 wrote to memory of 2580	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	schtasks.exe
PID 1656 wrote to memory of 2676	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2676	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2676	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2676	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2984	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2984	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2984	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2984	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 3016	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 3016	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 3016	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 3016	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2608	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2608	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2608	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2608	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2080	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2080	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2080	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe
PID 1656 wrote to memory of 2080	1656	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe	c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads