69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3

General

Target

69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe
Size

714KB
MD5

196db64bdd4feb0176f353aed587948e
SHA1

b42c42b13042b81d9a99484a4843e61084dc3596
SHA256

69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3
SHA512

5da5f2ca4968c7e2107e3e6b15599609189016fe7acc83901104165a9390847e31e541cbd2d3ba37cbce075619ab9454b181770dc8c0b2f69a0187d796aef236
SSDEEP

12288:5KEak0beeq+eTghKEiIdURDj7eVE5XjYIn764Wtlcq27gCpbZZEj5F+rT7pHEK:BPkeTg0E0Rjq+UC764WE7gEvE

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
2060	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 2692	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	powershell.exe
2060	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2896	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	30
PID 1920 wrote to memory of 2896	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	30
PID 1920 wrote to memory of 2896	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	30
PID 1920 wrote to memory of 2060	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	32
PID 1920 wrote to memory of 2060	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	32
PID 1920 wrote to memory of 2060	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	32
PID 1920 wrote to memory of 2860	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	34
PID 1920 wrote to memory of 2860	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	34
PID 1920 wrote to memory of 2860	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	34
PID 1920 wrote to memory of 2692	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	36
PID 1920 wrote to memory of 2692	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	36
PID 1920 wrote to memory of 2692	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	36
PID 1920 wrote to memory of 2692	1920	69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe
"C:\Users\Admin\AppData\Local\Temp\69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\69448b51f28b16e02af585ef5de65099ba0b2050660d8f9df1cc71c82a193cb3.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hFhzsWdmkAA.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFhzsWdmkAA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF557.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF557.tmp

Filesize
1KB

MD5
f566a8639228d34395d308072e07ebc6

SHA1
a4ee5379cef1071460288013736c0d51201930bb

SHA256
97ee78c179dc3814bc8b00cf61553ed4ba429960d98ea9f2eab37b284288efdd

SHA512
0ea981dd99751b4ca4114612a6b31efd250bfdb3ae960b154d7ef88c2505e00e96a352edbedd1e336210c99fc96934b7d1d3a4099b9954b12ad9d8652555da87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3c3c6c900cf16042ce3d2cc9e1f1cb2c

SHA1
9767da45163c17db3570681a5816e0eaa92115d9

SHA256
5dc33dc17d03908ea48b4274197973ffdc5fbde89ed4ff188f44b21fc9c0b9b0

SHA512
6a7df920a84c6b2cfef4ef0cd1e5a70f06fc77e3b9e2b948dafaa3e8b31db2900b003892ae5dbaedd886f3da28fc8c61d8bf1342a188f6cd696b7dada71f50ec

Download Submit
memory/1920-6-0x000000001C4A0000-0x000000001C520000-memory.dmp

Filesize
512KB

Download
memory/1920-3-0x0000000000670000-0x000000000068A000-memory.dmp

Filesize
104KB

Download
memory/1920-4-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/1920-5-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1920-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/1920-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-1-0x000000013F720000-0x000000013F7D6000-memory.dmp

Filesize
728KB

Download
memory/1920-24-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-23-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2896-21-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2896-20-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads