f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a

Analysis

max time kernel
17s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
Size

603KB
MD5

af8c67ecaaf1d8a3c148b3b994738f50
SHA1

ecf9e0b3eca2e745b460caa0513926256fd6ba36
SHA256

f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a
SHA512

2b5abb2587335a4c32ff03d4a4862d36cba51decb9381f71d99e08d1500fda37a91c8304ac36e2555481614c405673d3e6dbb65d5cbb8ed86336c790663c6b24
SSDEEP

12288:cbVVztMJXXiP1ysEXfq28bIV/46we6H4eLt7P5Jqq6f:0ztoXXO1yNfEbQ/4yMF/B6

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
2096	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
Token: SeDebugPrivilege	2096	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2096	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	29
PID 2552 wrote to memory of 2096	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	29
PID 2552 wrote to memory of 2096	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	29
PID 2552 wrote to memory of 2096	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	29
PID 2552 wrote to memory of 2472	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	31
PID 2552 wrote to memory of 2472	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	31
PID 2552 wrote to memory of 2472	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	31
PID 2552 wrote to memory of 2472	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	31
PID 2552 wrote to memory of 2780	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	33
PID 2552 wrote to memory of 2780	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	33
PID 2552 wrote to memory of 2780	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	33
PID 2552 wrote to memory of 2780	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	33
PID 2552 wrote to memory of 2760	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	34
PID 2552 wrote to memory of 2760	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	34
PID 2552 wrote to memory of 2760	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	34
PID 2552 wrote to memory of 2760	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	34
PID 2552 wrote to memory of 2752	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	35
PID 2552 wrote to memory of 2752	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	35
PID 2552 wrote to memory of 2752	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	35
PID 2552 wrote to memory of 2752	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	35
PID 2552 wrote to memory of 2440	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	36
PID 2552 wrote to memory of 2440	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	36
PID 2552 wrote to memory of 2440	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	36
PID 2552 wrote to memory of 2440	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	36
PID 2552 wrote to memory of 3004	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	37
PID 2552 wrote to memory of 3004	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	37
PID 2552 wrote to memory of 3004	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	37
PID 2552 wrote to memory of 3004	2552	f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe	37

C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
"C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GTZFWbhtAZrT.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GTZFWbhtAZrT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FBB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
  "C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe"
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
  "C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe"
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
  "C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe"
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
  "C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe"
  2⤵
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe
  "C:\Users\Admin\AppData\Local\Temp\f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a.exe"
  2⤵
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7FBB.tmp

Filesize
1KB

MD5
a18ec64da75d286aa0aa89244c7a134b

SHA1
76e470cae586506af822d0a29ad5961f66855a7b

SHA256
7da24be8a4c3aa439a9eb716663798672894f1786935828d7c595419e424ab96

SHA512
5caaa8462b8dd3104c49eaf4bac7b37b038c38a9c91d3870f9b667b717eda74413fb12167b3553f5f04f7722ce6ac4118de217e1de7ef8475d91e5836f60259f

Download Submit
memory/2552-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2552-1-0x0000000000380000-0x000000000041C000-memory.dmp

Filesize
624KB

Download
memory/2552-2-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-3-0x0000000000500000-0x0000000000518000-memory.dmp

Filesize
96KB

Download
memory/2552-4-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2552-5-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-6-0x00000000007A0000-0x0000000000816000-memory.dmp

Filesize
472KB

Download
memory/2552-14-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download