Overview

overview

10

Static

static

1

304ea6d5cf...7a.exe

windows7-x64

8

304ea6d5cf...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    304ea6d5cf3786d19de14f004d7d057a.exe

  • Size

    550KB

  • MD5

    304ea6d5cf3786d19de14f004d7d057a

  • SHA1

    d86ddb3becc0a82c915be35e7a7dcd796b50c269

  • SHA256

    89dd158d0ffdb6d661672343d36f5a87907e1cc60a0e9e85c892f75228eb399b

  • SHA512

    4c0731a52e57e429d1001da518066c073ceb0c9c91992e66dc674c3dfc352156e48dc22dc5482310d2c0ce38a2e87aace2dcfa7a9e6915d1bde3eee7bc8d3c08

  • SSDEEP

    12288:1Y5Q6QFm4SY+aZrwrLVRqRNlom98NGykPI7MqXb39bNjgJaXukR:u4/4rLVRqhoKIGNIgqxRiO1

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe
    "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LjGABleGAy.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjGABleGAy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2876
    • C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe
      "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
      2⤵
        PID:2628
      • C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe
        "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
        2⤵
          PID:2636
        • C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe
          "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
          2⤵
            PID:2644
          • C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe
            "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
            2⤵
              PID:2672
            • C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe
              "C:\Users\Admin\AppData\Local\Temp\304ea6d5cf3786d19de14f004d7d057a.exe"
              2⤵
                PID:2688

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp
              Filesize

              1KB

              MD5

              f450a6a4e5fd86586344937e03b17cc5

              SHA1

              9f0306d34ef25fe3e5b82ab98fa78a5ffc0df160

              SHA256

              472d4b0e3ad0618d919bb62ec5c1173864ed942c08ff6183b29e67f1b6309e4f

              SHA512

              78b084f8fb00b4877194a3463676adb513798162301450c9d47481e079d546b4ae153a4ed1831704d6b792c97fb9b92d6628ca2a8b05b54ea3b9f698d84230a0

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              6eb29854ffde3756d11cc5c3201cccec

              SHA1

              26d9f3254969dc0adfe2181d1f7f291b53fd0ce5

              SHA256

              be8dbccb1014cb52499810a502d0ea1e6ecebf1fcba2a65699b620f7f8966d72

              SHA512

              f2c0f4faa0f5a39a515f706403e2609060df74b2014ad87c1ae5aa4266a485633e035469e646a86ddf42943ede08b4ed656c3d0d59c998bb2c0ab79a636b081e

              Download Submit
            • memory/2436-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2436-1-0x00000000003C0000-0x000000000044C000-memory.dmp
              Filesize

              560KB

              Download
            • memory/2436-2-0x0000000000390000-0x00000000003A2000-memory.dmp
              Filesize

              72KB

              Download
            • memory/2436-3-0x00000000744D0000-0x0000000074BBE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2436-4-0x0000000000470000-0x000000000047A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2436-5-0x00000000009A0000-0x00000000009AE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/2436-6-0x0000000001F90000-0x0000000001FF0000-memory.dmp
              Filesize

              384KB

              Download
            • memory/2436-19-0x00000000744D0000-0x0000000074BBE000-memory.dmp
              Filesize

              6.9MB

              Download