9797437be69c30487304454b6531f686b350c9399516066a5d460042c67277cc

Analysis

max time kernel
48s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
Size

1.0MB
MD5

ee4e163f38aca1399baa166ca87561d0
SHA1

950960b4606eb30402e53415d30d6591fa92fde9
SHA256

9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8
SHA512

9e121dee4f9f1acc8ca9169ea4161a7654c849cc04b40baa93c24b20003f511c96ff369e9f3913305e3f230de935d8ff3ea522c12e14b71153c50d6113f425dd
SSDEEP

24576:0HH6h1OoaYANm0loL58KwewFARcqlE3r9HMQKN:k8t0loL58KwLgQ7lMQKN

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1264	powershell.exe
2656	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
2656	powershell.exe
1264	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2656	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	29
PID 560 wrote to memory of 2656	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	29
PID 560 wrote to memory of 2656	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	29
PID 560 wrote to memory of 2656	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	29
PID 560 wrote to memory of 1264	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	31
PID 560 wrote to memory of 1264	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	31
PID 560 wrote to memory of 1264	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	31
PID 560 wrote to memory of 1264	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	31
PID 560 wrote to memory of 2652	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	33
PID 560 wrote to memory of 2652	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	33
PID 560 wrote to memory of 2652	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	33
PID 560 wrote to memory of 2652	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	33
PID 560 wrote to memory of 1056	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	35
PID 560 wrote to memory of 1056	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	35
PID 560 wrote to memory of 1056	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	35
PID 560 wrote to memory of 1056	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	35
PID 560 wrote to memory of 436	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	36
PID 560 wrote to memory of 436	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	36
PID 560 wrote to memory of 436	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	36
PID 560 wrote to memory of 436	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	36
PID 560 wrote to memory of 2400	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	37
PID 560 wrote to memory of 2400	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	37
PID 560 wrote to memory of 2400	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	37
PID 560 wrote to memory of 2400	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	37
PID 560 wrote to memory of 1344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	38
PID 560 wrote to memory of 1344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	38
PID 560 wrote to memory of 1344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	38
PID 560 wrote to memory of 1344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	38
PID 560 wrote to memory of 2344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	39
PID 560 wrote to memory of 2344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	39
PID 560 wrote to memory of 2344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	39
PID 560 wrote to memory of 2344	560	9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe	39

C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
"C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIxoePCFR.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GIxoePCFR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0B7.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
  "C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
  "C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
  "C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
  "C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
  2⤵
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe
  "C:\Users\Admin\AppData\Local\Temp\9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8.exe"
  2⤵
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD0B7.tmp

Filesize
1KB

MD5
a487385a9d5bf7b074794e8abb78d7cb

SHA1
3555c5031a4479dcad071c0d4596e2f04691f273

SHA256
d5396b9f248e6628a111c6930cfe5e25d14c87c6d5925a20e30495f22fb390e3

SHA512
09dda361039b8f6630f9879ea36dbd39643090f0985393dbf82394982b686817131a8531944aea760879a26adc911360c12eaea3baf73d9fbcaf4585a5658301

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6b6764b4d5ef0264cf94be16fc7bbf83

SHA1
9a8babf97f2e22e1e3e35c268807c9be658f8f2c

SHA256
8af1b1205b793903f25b8f3d05f8bc79e82f676307c072fce0ee219e8c6fcd21

SHA512
41d329477bf2f8b8ef670ea71a33f0698959193f7356445cfd9d2163c9f4fe356883820b8f4099913e409c2ca8fbd6b4c31922fcd4be9d60e24d74ad6f582b4b

Download Submit
memory/560-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/560-1-0x0000000000330000-0x0000000000438000-memory.dmp

Filesize
1.0MB

Download
memory/560-2-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/560-3-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/560-4-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/560-5-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/560-6-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/560-7-0x0000000005400000-0x00000000054C0000-memory.dmp

Filesize
768KB

Download
memory/560-20-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download