8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae

General

Target

8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe
Size

3.9MB
MD5

c8de9399c22a91d81bc9ecbe502556c1
SHA1

5c70471cb9b4278052561db539b2004fa02b2e90
SHA256

8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae
SHA512

b699d636a745596591dde641f0bd4d27a7b8b98287390f39e5d61c9f1faccec975c100ec7d41176eb6536dc59cbc9258addbd69fd9014f0480d3e23f966399a9
SSDEEP

49152:JOb699GhOeeYrHhxNg0Dobuh9CY501gFji3o8SIP1qJ5+BXldQJmnt7wBHQ:L9vYrdnfsSIAJYBXlVwBw

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2760	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	31
PID 2224 wrote to memory of 2760	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	31
PID 2224 wrote to memory of 2760	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	31
PID 2224 wrote to memory of 2648	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2224 wrote to memory of 2648	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2224 wrote to memory of 2648	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2224 wrote to memory of 2648	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	33
PID 2224 wrote to memory of 2568	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2224 wrote to memory of 2568	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2224 wrote to memory of 2568	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2224 wrote to memory of 2568	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	34
PID 2224 wrote to memory of 2632	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2224 wrote to memory of 2632	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2224 wrote to memory of 2632	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2224 wrote to memory of 2632	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	35
PID 2224 wrote to memory of 2560	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2224 wrote to memory of 2560	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2224 wrote to memory of 2560	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2224 wrote to memory of 2560	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	36
PID 2224 wrote to memory of 2812	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37
PID 2224 wrote to memory of 2812	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37
PID 2224 wrote to memory of 2812	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37
PID 2224 wrote to memory of 2812	2224	8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe	37

C:\Users\Admin\AppData\Local\Temp\8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe
"C:\Users\Admin\AppData\Local\Temp\8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"
  2⤵
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe"
  2⤵
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2760-4-0x000007FEF478E000-0x000007FEF478F000-memory.dmp

Filesize
4KB

Download
memory/2760-5-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2760-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2760-7-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-8-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-10-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing