a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
Size

707KB
MD5

e975f8c51ed731735835c13c150d3a03
SHA1

1740d4342923f2bef21936af92e2381b58ab6993
SHA256

a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad
SHA512

33a9d0d70d1aa57b3353b6e84e34fc3fbf92ede61a9145942f755aa766f8cf7ff5a516d1ea02d657025d5f068c073eb21d4d0d42040afc014dc96ed45eb10404
SSDEEP

12288:p7HSDzsiQEsnXP785zl6lclC75YbfPGl8kurytPmUDvYkz0lj:p7HSDD5sXHlcBal8kuryZfEw0l

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2592	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
2684	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2684	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	30
PID 2672 wrote to memory of 2684	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	30
PID 2672 wrote to memory of 2684	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	30
PID 2672 wrote to memory of 2684	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	30
PID 2672 wrote to memory of 2592	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	32
PID 2672 wrote to memory of 2592	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	32
PID 2672 wrote to memory of 2592	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	32
PID 2672 wrote to memory of 2592	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	32
PID 2672 wrote to memory of 2736	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	34
PID 2672 wrote to memory of 2736	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	34
PID 2672 wrote to memory of 2736	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	34
PID 2672 wrote to memory of 2736	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	34
PID 2672 wrote to memory of 584	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	36
PID 2672 wrote to memory of 584	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	36
PID 2672 wrote to memory of 584	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	36
PID 2672 wrote to memory of 584	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	36
PID 2672 wrote to memory of 2844	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	37
PID 2672 wrote to memory of 2844	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	37
PID 2672 wrote to memory of 2844	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	37
PID 2672 wrote to memory of 2844	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	37
PID 2672 wrote to memory of 572	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	38
PID 2672 wrote to memory of 572	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	38
PID 2672 wrote to memory of 572	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	38
PID 2672 wrote to memory of 572	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	38
PID 2672 wrote to memory of 1816	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	39
PID 2672 wrote to memory of 1816	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	39
PID 2672 wrote to memory of 1816	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	39
PID 2672 wrote to memory of 1816	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	39
PID 2672 wrote to memory of 1580	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	40
PID 2672 wrote to memory of 1580	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	40
PID 2672 wrote to memory of 1580	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	40
PID 2672 wrote to memory of 1580	2672	a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe	40

C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
"C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HUuXEi.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HUuXEi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
  "C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
  2⤵
  PID:584
- C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
  "C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
  "C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
  2⤵
  PID:572
- C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
  "C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe
  "C:\Users\Admin\AppData\Local\Temp\a2c40c36ad82e27b4db35cb35800e6fcd428983434b9bb11b5005e92b353baad.exe"
  2⤵
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp

Filesize
1KB

MD5
cd478a6732347104205843cb0bf027fa

SHA1
6fad23a1bb9e9ea59de1f008a6b65335a9f90862

SHA256
136cbf8c2bc96bcbad4849bda974b920bf6a36ae99ea2dab91930d9cdccfbbd7

SHA512
60543e500559d9e7072ecd4537c3018dbdaf1ba275ed1548b12ce668c316db719462da0bf612ab4c526d2098c74cd14f431faf343352d5a9c842c63920f426d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L738G52EWN90UGD48NMT.temp

Filesize
7KB

MD5
3ac9d568e0b5bc4f2ade73ee09c508f0

SHA1
84897ab9e76b6c80cb66ce9a4bae3e779f992435

SHA256
572cf6eaf39abe05e94b69483e7c2a53a07c8a4a0f51f46c3b617c0308dd556a

SHA512
b7c610872e91cca02db4a754e4c008b4728e530b17c26a0eac2a84ec9a14cfcca1ac18ca52242075cec2d0ff70a1dbd175a19f602c11168a9f5394291c85fa49

Download Submit
memory/2672-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/2672-1-0x00000000003F0000-0x00000000004A6000-memory.dmp

Filesize
728KB

Download
memory/2672-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-3-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/2672-4-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2672-5-0x0000000000330000-0x00000000003A6000-memory.dmp

Filesize
472KB

Download
memory/2672-18-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download