b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
Size

592KB
MD5

b24af86265030c8eef122b4c1ecd3872
SHA1

9d938c83cecf29582c57c43a40406f577d78e88a
SHA256

b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8
SHA512

c1b4163cd541b616f11966b56a646eee353bfcebdcfdf35f64311e53025822959cfe3063c50a77c0b4493da0c4196bac0172d0cfcc750eb605edc06a15643d0f
SSDEEP

12288:TVh0xC0sCe+1GOZzDzd8wGUXd7x0bbU7zODAKD:ZhEC4xoOZzDzd8whx0UzOcK

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
2744	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
2744	powershell.exe
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2856	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	30
PID 2188 wrote to memory of 2856	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	30
PID 2188 wrote to memory of 2856	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	30
PID 2188 wrote to memory of 2856	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	30
PID 2188 wrote to memory of 2744	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	32
PID 2188 wrote to memory of 2744	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	32
PID 2188 wrote to memory of 2744	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	32
PID 2188 wrote to memory of 2744	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	32
PID 2188 wrote to memory of 1416	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	33
PID 2188 wrote to memory of 1416	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	33
PID 2188 wrote to memory of 1416	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	33
PID 2188 wrote to memory of 1416	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	33
PID 2188 wrote to memory of 2096	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	36
PID 2188 wrote to memory of 2096	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	36
PID 2188 wrote to memory of 2096	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	36
PID 2188 wrote to memory of 2096	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	36
PID 2188 wrote to memory of 2236	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	37
PID 2188 wrote to memory of 2236	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	37
PID 2188 wrote to memory of 2236	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	37
PID 2188 wrote to memory of 2236	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	37
PID 2188 wrote to memory of 2544	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	38
PID 2188 wrote to memory of 2544	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	38
PID 2188 wrote to memory of 2544	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	38
PID 2188 wrote to memory of 2544	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	38
PID 2188 wrote to memory of 2884	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	39
PID 2188 wrote to memory of 2884	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	39
PID 2188 wrote to memory of 2884	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	39
PID 2188 wrote to memory of 2884	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	39
PID 2188 wrote to memory of 1044	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	40
PID 2188 wrote to memory of 1044	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	40
PID 2188 wrote to memory of 1044	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	40
PID 2188 wrote to memory of 1044	2188	b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe	40

C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
"C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cONqzZpZ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cONqzZpZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6806.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
  "C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
  "C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
  "C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
  "C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe
  "C:\Users\Admin\AppData\Local\Temp\b6a40b8140bb8ebbf10c47b649052c765a55c3620246973e97ab937f6361bba8.exe"
  2⤵
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6806.tmp

Filesize
1KB

MD5
6a64fb7651845e637ea9a2b87d04264c

SHA1
3924f98f9c9ade18f70f8bca1e682f82a96ba1ea

SHA256
e85bbd8c4972a2ae292770e8231cb657e5ff35b1195eadcda910097b01b2377c

SHA512
cb969ad2f9dcbf3b243f7a417af8ce8fce16f8e4def384846eb9a725c6b363ded9f8e10750f59d8d86837936d053d2c91e87c2cce13c0b2103ec0e10cc7a1685

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KL2Q3XLBWMK41CC3DZZK.temp

Filesize
7KB

MD5
c7453d28acbdff47645078c78037b081

SHA1
c8d957ec25c255c05ff531d2a3899427f980c9f9

SHA256
25471decfd622d7983fe9651e613ccf07c3bb8ed32f55ddb2992abdc690850f1

SHA512
92032a20592b100862079130936559543c720aef48d00db3b2b3565162d68f82d42b65401b7600820cf6b810fb5a15154ad69da23e95cc0b63151be58fe43e4b

Download Submit
memory/2188-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2188-1-0x0000000000150000-0x00000000001E4000-memory.dmp

Filesize
592KB

Download
memory/2188-2-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-3-0x0000000001CB0000-0x0000000001CC2000-memory.dmp

Filesize
72KB

Download
memory/2188-4-0x0000000004010000-0x0000000004018000-memory.dmp

Filesize
32KB

Download
memory/2188-5-0x0000000004060000-0x000000000406E000-memory.dmp

Filesize
56KB

Download
memory/2188-6-0x00000000049D0000-0x0000000004A32000-memory.dmp

Filesize
392KB

Download
memory/2188-19-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download