Overview
overview
10Static
static
102024-08-08.zip
windows10-1703-x64
10163684970...64.exe
windows10-1703-x64
80581756a65...1b.exe
windows10-1703-x64
306fcfd75f4...40.exe
windows10-1703-x64
6083b02e212...c7.exe
windows10-1703-x64
3087a3b8725...c9.jar
windows10-1703-x64
708c7fb6067...a2.exe
windows10-1703-x64
30e85d0a9fc...50.exe
windows10-1703-x64
60f1b66752d...9d.exe
windows10-1703-x64
30f2abe41f4...70.exe
windows10-1703-x64
100f8a6d8705...e5.exe
windows10-1703-x64
101026da21d9...42.exe
windows10-1703-x64
10109927ded1...91.exe
windows10-1703-x64
615c71b616f...79.exe
windows10-1703-x64
1017b5394a5c...70.exe
windows10-1703-x64
101873c4b2bd...d4.exe
windows10-1703-x64
1019efe1624f...3c.exe
windows10-1703-x64
101de0ce90e5...f7.vbe
windows10-1703-x64
11e6ad08c5e...5f.exe
windows10-1703-x64
101f7cedbe04...4c.exe
windows10-1703-x64
1022586df437...62.exe
windows10-1703-x64
1029f90a4f62...e6.xls
windows10-1703-x64
12b34ad054e...da.exe
windows10-1703-x64
102bb032333f...2c.exe
windows10-1703-x64
32bda6048a8...dc.exe
windows10-1703-x64
72c7da6690b...6a.exe
windows10-1703-x64
42caf283566...2e.exe
windows10-1703-x64
10300d87987d...45.exe
windows10-1703-x64
7353a75d0ad...a5.exe
windows10-1703-x64
7391ac1ceed...57.exe
windows10-1703-x64
7d4cb60a0e9...01.hta
windows10-1703-x64
10e0fa6d69b2...1e.msi
windows10-1703-x64
6Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
10-08-2024 17:49
Behavioral task
behavioral1
Sample
2024-08-08.zip
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
0581756a656ace2e7d164b1f66846e9d079755bd7a5cead72e73b53ab534531b.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
06fcfd75f456e542f161dc3e74b1c7ccc52e6cded909f5f06e00c847e5bedf40.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
083b02e21246fa17ee9ac50eab39033abd920274259ad848df9eb412d4350ec7.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
087a3b87252a021f6f3696f496d4fd890f28fc31735d8f850aa1184ed7bf59c9.jar
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
0e85d0a9fcf30f823c43e697f99cf61743ef1d29228e160f19005e343f2a5b50.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
0f8a6d8705eba15b8958bd7984d9c46f1f5510790249b3fa330740a626ef45e5.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
109927ded1c6f8ce79192bc804efab8f52e6924d16476236eef82a1631349d91.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
15c71b616f8ff314907e2e9f15601adc81529f6129acd67751bf7d16b4d52479.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
19efe1624f526c084e096431a4b1e5bf63c299351751fa0bf466106a99196d3c.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
1de0ce90e503e10f763f00b591d48973bb213d3979c517097b252881630257f7.vbe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
1e6ad08c5ed9b4fdbef86181e8cd01170fe9ec5615d9a37f90e7ea43bcad175f.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
1f7cedbe04af43e29efdfecce0580ab826b577bd0d7c9f6db3d1c58a8eeffb4c.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
22586df4379d432c8e5d2d852bbecf70558da09f77ec0f7ac46d28e4928a7462.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
29f90a4f6266e43e668b41187ef4e8c2acdfccab8a8c898e64349a5432081ce6.xls
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
2b34ad054e9dde8cbc0abfbe1379a7f0343cb32d92f3411ec2c2ff02ae5673da.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
2c7da6690be26bd6b5ceea90b233fdd26589d7a72b2a62468903aba887e7ad6a.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
391ac1ceedd3c960f32890f834a86ba1570ee5a0cc12dcef1714d43bb29fc457.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101.hta
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
e0fa6d69b26f18cfdef3bd930d067eca476b3d2cb78d14bec88f05ae87d25b1e.msi
Resource
win10-20240404-en
windows10-1703-x64
General
-
Target
17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe
-
Size
930KB
-
MD5
fdaef04ff6e9175a3a4918e83470903a
-
SHA1
7cbe102ac7da79cb47adbe3d63c0206983a2fa67
-
SHA256
17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770
-
SHA512
e5810b5029c4c4b4ed7e724bf060e52179a5e6c59829adc92fd824088289a22926732925fb105efb716a5fc107d68ad09bd6d6cadf8d69fd29fb64e367531acb
-
SSDEEP
24576:plzwyHNQcI5YGvm7gbi3Ziq+GYsROHzeGs2:pNw+eTvEhJ1OTB
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 204 powershell.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3896 set thread context of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 2620 set thread context of 3896 2620 ilasm.exe 72 PID 2620 set thread context of 3896 2620 ilasm.exe 72 PID 2620 set thread context of 3896 2620 ilasm.exe 72 PID 2620 set thread context of 3196 2620 ilasm.exe 54 PID 2620 set thread context of 4780 2620 ilasm.exe 84 PID 4780 set thread context of 3896 4780 SecEdit.exe 72 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecEdit.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 204 powershell.exe 204 powershell.exe 204 powershell.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 4780 SecEdit.exe 4780 SecEdit.exe 4780 SecEdit.exe 4780 SecEdit.exe 4780 SecEdit.exe 4780 SecEdit.exe 4780 SecEdit.exe 4780 SecEdit.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 2620 ilasm.exe 3196 Explorer.EXE 3196 Explorer.EXE 4780 SecEdit.exe 4780 SecEdit.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 204 powershell.exe Token: SeIncreaseQuotaPrivilege 204 powershell.exe Token: SeSecurityPrivilege 204 powershell.exe Token: SeTakeOwnershipPrivilege 204 powershell.exe Token: SeLoadDriverPrivilege 204 powershell.exe Token: SeSystemProfilePrivilege 204 powershell.exe Token: SeSystemtimePrivilege 204 powershell.exe Token: SeProfSingleProcessPrivilege 204 powershell.exe Token: SeIncBasePriorityPrivilege 204 powershell.exe Token: SeCreatePagefilePrivilege 204 powershell.exe Token: SeBackupPrivilege 204 powershell.exe Token: SeRestorePrivilege 204 powershell.exe Token: SeShutdownPrivilege 204 powershell.exe Token: SeDebugPrivilege 204 powershell.exe Token: SeSystemEnvironmentPrivilege 204 powershell.exe Token: SeRemoteShutdownPrivilege 204 powershell.exe Token: SeUndockPrivilege 204 powershell.exe Token: SeManageVolumePrivilege 204 powershell.exe Token: 33 204 powershell.exe Token: 34 204 powershell.exe Token: 35 204 powershell.exe Token: 36 204 powershell.exe Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3896 wrote to memory of 204 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 74 PID 3896 wrote to memory of 204 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 74 PID 3896 wrote to memory of 2408 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 76 PID 3896 wrote to memory of 2408 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 76 PID 3896 wrote to memory of 2408 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 76 PID 3896 wrote to memory of 2408 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 76 PID 3896 wrote to memory of 812 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 77 PID 3896 wrote to memory of 812 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 77 PID 3896 wrote to memory of 812 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 77 PID 3896 wrote to memory of 3360 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 78 PID 3896 wrote to memory of 3360 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 78 PID 3896 wrote to memory of 3360 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 78 PID 3896 wrote to memory of 3360 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 78 PID 3896 wrote to memory of 2024 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 80 PID 3896 wrote to memory of 2024 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 80 PID 3896 wrote to memory of 2024 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 80 PID 3896 wrote to memory of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 3896 wrote to memory of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 3896 wrote to memory of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 3896 wrote to memory of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 3896 wrote to memory of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 3896 wrote to memory of 2620 3896 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe 81 PID 3196 wrote to memory of 4780 3196 Explorer.EXE 84 PID 3196 wrote to memory of 4780 3196 Explorer.EXE 84 PID 3196 wrote to memory of 4780 3196 Explorer.EXE 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe"C:\Users\Admin\AppData\Local\Temp\17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵PID:2408
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵PID:812
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:3360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2620
-
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\SysWOW64\SecEdit.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4780
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a