8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae

General

Target

8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe
Size

3.9MB
MD5

c8de9399c22a91d81bc9ecbe502556c1
SHA1

5c70471cb9b4278052561db539b2004fa02b2e90
SHA256

8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae
SHA512

b699d636a745596591dde641f0bd4d27a7b8b98287390f39e5d61c9f1faccec975c100ec7d41176eb6536dc59cbc9258addbd69fd9014f0480d3e23f966399a9
SSDEEP

49152:JOb699GhOeeYrHhxNg0Dobuh9CY501gFji3o8SIP1qJ5+BXldQJmnt7wBHQ:L9vYrdnfsSIAJYBXlVwBw

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1204	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1204	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1204	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	31
PID 2692 wrote to memory of 1204	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	31
PID 2692 wrote to memory of 1204	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	31
PID 2692 wrote to memory of 2112	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2692 wrote to memory of 2112	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2692 wrote to memory of 2112	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2692 wrote to memory of 2112	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2692 wrote to memory of 2376	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2692 wrote to memory of 2376	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2692 wrote to memory of 2376	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2692 wrote to memory of 2376	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2692 wrote to memory of 3024	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2692 wrote to memory of 3024	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2692 wrote to memory of 3024	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2692 wrote to memory of 3024	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2692 wrote to memory of 3020	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2692 wrote to memory of 3020	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2692 wrote to memory of 3020	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2692 wrote to memory of 3020	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2692 wrote to memory of 2496	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37
PID 2692 wrote to memory of 2496	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37
PID 2692 wrote to memory of 2496	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37
PID 2692 wrote to memory of 2496	2692	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37

C:\Users\Admin\AppData\Local\Temp\8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe
"C:\Users\Admin\AppData\Local\Temp\8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe"
  2⤵
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-4-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1204-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/1204-9-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1204-8-0x000000000293B000-0x00000000029A2000-memory.dmp

Filesize
412KB

Download
memory/1204-7-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1204-11-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing