Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 22:37 UTC

General

  • Target

    8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe

  • Size

    3.9MB

  • MD5

    c8de9399c22a91d81bc9ecbe502556c1

  • SHA1

    5c70471cb9b4278052561db539b2004fa02b2e90

  • SHA256

    8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae

  • SHA512

    b699d636a745596591dde641f0bd4d27a7b8b98287390f39e5d61c9f1faccec975c100ec7d41176eb6536dc59cbc9258addbd69fd9014f0480d3e23f966399a9

  • SSDEEP

    49152:JOb699GhOeeYrHhxNg0Dobuh9CY501gFji3o8SIP1qJ5+BXldQJmnt7wBHQ:L9vYrdnfsSIAJYBXlVwBw

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe
    "C:\Users\Admin\AppData\Local\Temp\8912a860fea905932645a87fb22455057e7fee4aa6f64a3cf0a2ef28e810f6ae.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe"
      2⤵
        PID:2648
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"
        2⤵
          PID:2568
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
          2⤵
            PID:2632
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe"
            2⤵
              PID:2560
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe"
              2⤵
                PID:2812

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2760-4-0x000007FEF478E000-0x000007FEF478F000-memory.dmp

              Filesize

              4KB

            • memory/2760-5-0x000000001B820000-0x000000001BB02000-memory.dmp

              Filesize

              2.9MB

            • memory/2760-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

              Filesize

              32KB

            • memory/2760-7-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

              Filesize

              9.6MB

            • memory/2760-8-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

              Filesize

              9.6MB

            • memory/2760-10-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

              Filesize

              9.6MB

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.