b50bbb4b93fd8ef7a2876b3743dfda6945e9011f406e71b41897244b0b836467

Analysis

max time kernel
124s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
Size

744KB
MD5

afd781a3ff93fa20591585f48f23327d
SHA1

83b647908d9c163f310aec54685ccbd99a2ec9c5
SHA256

01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64
SHA512

d51644dc80d7a96251e53c1a0e6596880e0741d7c01acd6f4a22abb47c5091e88442b3f724a61ea536931d79893a222877978cf2203e1c42d238ea2ed1afb7dd
SSDEEP

12288:uawNzhMvp5ZhDcvUVgrhulPhOxwEctMNBXCTspa2af/3K196wbl7zXXVHXccrKmm:5Eho15SrUI1qkpof/3EPblzXlMcrcEA

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
212	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe
648	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
Token: SeDebugPrivilege	212	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 212	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	72
PID 1768 wrote to memory of 212	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	72
PID 1768 wrote to memory of 212	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	72
PID 1768 wrote to memory of 216	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	74
PID 1768 wrote to memory of 216	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	74
PID 1768 wrote to memory of 216	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	74
PID 1768 wrote to memory of 192	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	75
PID 1768 wrote to memory of 192	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	75
PID 1768 wrote to memory of 192	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	75
PID 1768 wrote to memory of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76
PID 1768 wrote to memory of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76
PID 1768 wrote to memory of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76
PID 1768 wrote to memory of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76
PID 1768 wrote to memory of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76
PID 1768 wrote to memory of 648	1768	01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe	76

C:\Users\Admin\AppData\Local\Temp\01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe
"C:\Users\Admin\AppData\Local\Temp\01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tvbtgrqv.5jj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/212-42-0x0000000008C70000-0x0000000008CA3000-memory.dmp

Filesize
204KB

Download
memory/212-15-0x00000000003C0000-0x000000000042C000-memory.dmp

Filesize
432KB

Download
memory/212-23-0x0000000007340000-0x000000000735C000-memory.dmp

Filesize
112KB

Download
memory/212-21-0x00000000072B0000-0x0000000007316000-memory.dmp

Filesize
408KB

Download
memory/212-24-0x0000000007900000-0x000000000794B000-memory.dmp

Filesize
300KB

Download
memory/212-264-0x00000000003C0000-0x000000000042C000-memory.dmp

Filesize
432KB

Download
memory/212-248-0x0000000008F20000-0x0000000008F28000-memory.dmp

Filesize
32KB

Download
memory/212-20-0x0000000007240000-0x00000000072A6000-memory.dmp

Filesize
408KB

Download
memory/212-243-0x0000000008F30000-0x0000000008F4A000-memory.dmp

Filesize
104KB

Download
memory/212-50-0x0000000008F80000-0x0000000009014000-memory.dmp

Filesize
592KB

Download
memory/212-16-0x0000000006C10000-0x0000000007238000-memory.dmp

Filesize
6.2MB

Download
memory/212-25-0x0000000007BE0000-0x0000000007C56000-memory.dmp

Filesize
472KB

Download
memory/212-14-0x0000000006460000-0x0000000006496000-memory.dmp

Filesize
216KB

Download
memory/212-22-0x0000000007500000-0x0000000007850000-memory.dmp

Filesize
3.3MB

Download
memory/212-49-0x0000000008DB0000-0x0000000008E55000-memory.dmp

Filesize
660KB

Download
memory/212-19-0x0000000006A10000-0x0000000006A32000-memory.dmp

Filesize
136KB

Download
memory/212-44-0x0000000008C50000-0x0000000008C6E000-memory.dmp

Filesize
120KB

Download
memory/212-43-0x0000000072200000-0x000000007224B000-memory.dmp

Filesize
300KB

Download
memory/648-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/648-265-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/648-266-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1768-10-0x0000000002B20000-0x0000000002BAE000-memory.dmp

Filesize
568KB

Download
memory/1768-1-0x0000000000980000-0x0000000000A3E000-memory.dmp

Filesize
760KB

Download
memory/1768-0-0x00000000736EE000-0x00000000736EF000-memory.dmp

Filesize
4KB

Download
memory/1768-8-0x00000000054F0000-0x00000000054FE000-memory.dmp

Filesize
56KB

Download
memory/1768-4-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/1768-18-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-2-0x0000000005840000-0x0000000005D3E000-memory.dmp

Filesize
5.0MB

Download
memory/1768-9-0x0000000005500000-0x0000000005516000-memory.dmp

Filesize
88KB

Download
memory/1768-7-0x0000000005440000-0x000000000545A000-memory.dmp

Filesize
104KB

Download
memory/1768-6-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/1768-5-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-3-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download