013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
Size

858KB
MD5

b350cd206fef3c85b464eb38c0aa7a6e
SHA1

f69d2ad78ae1efa4aa9f1f67947972e54c340484
SHA256

013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5
SHA512

a407aaa7d26de6dfa1b0a6f05ef4d521b4ca146a27bbca4b2c17acdd86062cbca2e3c9559690b16969c01ec0b6e4bae62f462603e59b01e7844a0db70db6aaab
SSDEEP

24576:S296h1OwaxiPuSNlpmVY2eInJYAP0e+8DYhuqG:l988zSNlpmVY2bRPb+Lhur

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe
2672	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
2672	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2748	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	30
PID 2028 wrote to memory of 2748	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	30
PID 2028 wrote to memory of 2748	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	30
PID 2028 wrote to memory of 2748	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	30
PID 2028 wrote to memory of 2672	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	32
PID 2028 wrote to memory of 2672	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	32
PID 2028 wrote to memory of 2672	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	32
PID 2028 wrote to memory of 2672	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	32
PID 2028 wrote to memory of 2552	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	33
PID 2028 wrote to memory of 2552	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	33
PID 2028 wrote to memory of 2552	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	33
PID 2028 wrote to memory of 2552	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	33
PID 2028 wrote to memory of 1600	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	36
PID 2028 wrote to memory of 1600	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	36
PID 2028 wrote to memory of 1600	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	36
PID 2028 wrote to memory of 1600	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	36
PID 2028 wrote to memory of 1420	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	37
PID 2028 wrote to memory of 1420	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	37
PID 2028 wrote to memory of 1420	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	37
PID 2028 wrote to memory of 1420	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	37
PID 2028 wrote to memory of 1992	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	38
PID 2028 wrote to memory of 1992	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	38
PID 2028 wrote to memory of 1992	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	38
PID 2028 wrote to memory of 1992	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	38
PID 2028 wrote to memory of 1712	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	39
PID 2028 wrote to memory of 1712	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	39
PID 2028 wrote to memory of 1712	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	39
PID 2028 wrote to memory of 1712	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	39
PID 2028 wrote to memory of 816	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	40
PID 2028 wrote to memory of 816	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	40
PID 2028 wrote to memory of 816	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	40
PID 2028 wrote to memory of 816	2028	013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe	40

C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
"C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RQlazJwKsD.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RQlazJwKsD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp822B.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
  "C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
  "C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
  "C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
  "C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
  2⤵
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe
  "C:\Users\Admin\AppData\Local\Temp\013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5.exe"
  2⤵
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp822B.tmp

Filesize
1KB

MD5
b5eecf68c2ed87cd724fd40ccb21a24c

SHA1
e500d212a57fde29d4734e82c718b4e18c6bccf5

SHA256
b4191a36a40f4501012d2ad0f5c2ed9714c7aabd18c0ec875763cff1a754fdb8

SHA512
45b7f218b564fb5a0140f5993ac19cc693182b744e1d2231323f4a2cf02fdea773c816958c405d3336d4d84a2c4938f3a2145c2440d6c3bd41f422834c2e9284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5b89fb5f9251e1b9d78f4c402988e92e

SHA1
ffdc1146f694a17f4c18bf7de637d740859bebba

SHA256
29d2c8380eb8b070d352719f8070efe89fedde2725aee6cc151a3f9d024fce4d

SHA512
b58ba0a7dcb3bc3a6e72e9d6ac23bbb7eb478bf11e26a66b16e932b9b030227c258cc1b49e40c5a9212b6e734900e6927acaf0575c6625c0d18078d64546c984

Download Submit
memory/2028-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x00000000003C0000-0x0000000000498000-memory.dmp

Filesize
864KB

Download
memory/2028-2-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-3-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2028-4-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-6-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2028-7-0x0000000005B40000-0x0000000005BCC000-memory.dmp

Filesize
560KB

Download
memory/2028-20-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download