f9f2e7987af77bec393389bc0afb5db712d7753d399c60219b67e7db139a143c

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA for MAR to APR 2024.exe
Size

714KB
MD5

637c9d6368273b1560276ad82a3d5ef6
SHA1

c5dd2dede9587eab96fbae5eb89b1ec663627b93
SHA256

69b09aa77f3774958809742c27dadfe0750ab0861a4b2e3d890cce77bb2370c2
SHA512

b7f942bc71cfb660952dc1c46fb6bbd736572e7125e46ff7c3b13e21ac199502238b30c177059fdd032e9247e0df7d734dd2ef1023a35c4b5800507c9c535094
SSDEEP

12288:o4GIpx61IHTGj7B92gulkSc9C+V+KZydqNEP0UEOtr7+iJcfflrkR:oNvDu3kHV5YPV1tm+cnlu

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
2356	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2508	SOA for MAR to APR 2024.exe
2600	powershell.exe
2356	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	SOA for MAR to APR 2024.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2356	2508	SOA for MAR to APR 2024.exe	30
PID 2508 wrote to memory of 2356	2508	SOA for MAR to APR 2024.exe	30
PID 2508 wrote to memory of 2356	2508	SOA for MAR to APR 2024.exe	30
PID 2508 wrote to memory of 2356	2508	SOA for MAR to APR 2024.exe	30
PID 2508 wrote to memory of 2600	2508	SOA for MAR to APR 2024.exe	32
PID 2508 wrote to memory of 2600	2508	SOA for MAR to APR 2024.exe	32
PID 2508 wrote to memory of 2600	2508	SOA for MAR to APR 2024.exe	32
PID 2508 wrote to memory of 2600	2508	SOA for MAR to APR 2024.exe	32
PID 2508 wrote to memory of 2908	2508	SOA for MAR to APR 2024.exe	33
PID 2508 wrote to memory of 2908	2508	SOA for MAR to APR 2024.exe	33
PID 2508 wrote to memory of 2908	2508	SOA for MAR to APR 2024.exe	33
PID 2508 wrote to memory of 2908	2508	SOA for MAR to APR 2024.exe	33
PID 2508 wrote to memory of 2276	2508	SOA for MAR to APR 2024.exe	36
PID 2508 wrote to memory of 2276	2508	SOA for MAR to APR 2024.exe	36
PID 2508 wrote to memory of 2276	2508	SOA for MAR to APR 2024.exe	36
PID 2508 wrote to memory of 2276	2508	SOA for MAR to APR 2024.exe	36
PID 2508 wrote to memory of 2616	2508	SOA for MAR to APR 2024.exe	37
PID 2508 wrote to memory of 2616	2508	SOA for MAR to APR 2024.exe	37
PID 2508 wrote to memory of 2616	2508	SOA for MAR to APR 2024.exe	37
PID 2508 wrote to memory of 2616	2508	SOA for MAR to APR 2024.exe	37
PID 2508 wrote to memory of 2388	2508	SOA for MAR to APR 2024.exe	38
PID 2508 wrote to memory of 2388	2508	SOA for MAR to APR 2024.exe	38
PID 2508 wrote to memory of 2388	2508	SOA for MAR to APR 2024.exe	38
PID 2508 wrote to memory of 2388	2508	SOA for MAR to APR 2024.exe	38
PID 2508 wrote to memory of 2088	2508	SOA for MAR to APR 2024.exe	39
PID 2508 wrote to memory of 2088	2508	SOA for MAR to APR 2024.exe	39
PID 2508 wrote to memory of 2088	2508	SOA for MAR to APR 2024.exe	39
PID 2508 wrote to memory of 2088	2508	SOA for MAR to APR 2024.exe	39
PID 2508 wrote to memory of 2080	2508	SOA for MAR to APR 2024.exe	40
PID 2508 wrote to memory of 2080	2508	SOA for MAR to APR 2024.exe	40
PID 2508 wrote to memory of 2080	2508	SOA for MAR to APR 2024.exe	40
PID 2508 wrote to memory of 2080	2508	SOA for MAR to APR 2024.exe	40

C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sJESSrCoFnDFGn.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sJESSrCoFnDFGn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
  2⤵
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA for MAR to APR 2024.exe"
  2⤵
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp

Filesize
1KB

MD5
fb67bbc842586eca6b2a81e1902896a9

SHA1
afe5a87017a4f01771af45934cd9e9b13a337713

SHA256
00bc56046a379542c1a65f0b819cd6dcb4e7da78d389fcc75d94e080117e1d56

SHA512
bdb06ac700175156231a6d350db57f2f91c3580ebf35d4158a09e717f173d314b3900a27f1925372e5e12a9b323f917fcd79fcb07c89a796379c8115eff3a3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f7479aacaf744ee589241721677410a

SHA1
5944fb4add831d13ba3ef2fe4b6e625f5542eeef

SHA256
ef4cb68c89d3614556601c04a90ce214c4d02663476b74d3c46d98f030487d80

SHA512
e931a54246d35ccacbc9bc3469848a23af184d3f9cebed099ebc9f8c496b560ae98a6e04cd65ef337625e0b59de5babb05f0bb15962ef339ee375cd21f72a809

Download Submit
memory/2508-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000390000-0x0000000000444000-memory.dmp

Filesize
720KB

Download
memory/2508-2-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-3-0x0000000004A50000-0x0000000004AF8000-memory.dmp

Filesize
672KB

Download
memory/2508-4-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/2508-5-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/2508-6-0x0000000005710000-0x0000000005794000-memory.dmp

Filesize
528KB

Download
memory/2508-19-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download