e3e81949defa0a9cd29ec632907000f2911341e09765565f6835d5f5e6ce6771

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe
Size

424KB
MD5

121afc27b0e1abe1704bcabf3c8b8ec3
SHA1

9bdb3491f8d836af15f09cac82be9e6b05560204
SHA256

f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89
SHA512

127866745bf3c26a82774f1a5ef8b9e3e60883b9b53f8388813a4c6145bfeb1a695a37e9aa90a2e9bf86e1a976ea9e3672c00b48ce6cfc8a7ce8e5382f99df28
SSDEEP

6144:d4VDHxb4QmAqozabdh1GbhYzTp7Hw2mrbX58BvT3pYXjadGfqrACFoV:dgkcq2abdh1GbhYPprwxbJmrp+aYq8M

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\D04D24~1.EXE"	icardagt.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira	icardagt.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	icardagt.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Eset\Nod	icardagt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icardagt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe
2876	icardagt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2876	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	31
PID 2600 wrote to memory of 2828	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	33
PID 2600 wrote to memory of 2828	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	33
PID 2600 wrote to memory of 2828	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	33
PID 2600 wrote to memory of 2828	2600	f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe	33
PID 2828 wrote to memory of 2224	2828	cmd.exe	35
PID 2828 wrote to memory of 2224	2828	cmd.exe	35
PID 2828 wrote to memory of 2224	2828	cmd.exe	35
PID 2828 wrote to memory of 2224	2828	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe
"C:\Users\Admin\AppData\Local\Temp\f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\syswow64\icardagt.exe
  "icardagt.exe"
  2⤵
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\xme121D.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f754fefacb54d2b54d232a2465cfee59e3393fbc5a5fb1061709bebf06e74c89.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\d04d24j4fb.exe

Filesize
424KB

MD5
2462bc145603ec69236e7354cb744de4

SHA1
d47d4d2424a320118340723b62aad6b4f9d28164

SHA256
8c2e3015426cda9b2c73f4af92f0f1ab883bf049dc3d75aae7e9ca65840e6e50

SHA512
ef8705b7abb00650df70b2ce59aca85f39115b357e6aa77e0cba8d7075f93d8e5ddc6bd6417b27a38bb7a74570afaaca9feb7dce3cc9f999f827ddd8a445145b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d43514e66e9c0a80acb4

Filesize
29B

MD5
5f01fca9474e9d650249e3d490ff27c9

SHA1
073603d23fa58f75e675fe826207b40acc105729

SHA256
61395e17bf049b4b81727187c65f0292140a7ad33ce00a7cae4bbb3361600a50

SHA512
739e15bdc406500a3feea1de3241698b7979755693040b748f9f779123a505912d637668ee5c70a2cfe4a7d76e1e52863aa05492425741cda24306d5e698aeda

Download Submit
C:\Users\Admin\AppData\Roaming\xme121D.tmp.bat

Filesize
58B

MD5
04dda96460885dc9b0ea4ab53cec8682

SHA1
3e74ad7822886c0212cf1de5508ec5022e95dc57

SHA256
bcf4909f48c152bd763476f2ca5e3061e3cfd6669ec7bbaf132b94e330ba9fd1

SHA512
4b708a7cc3f29eedeed43793cafde59234f5ed2b115c3e3f4eba90aa07759d9c2578cb06ee504ee9dca9d44d63339f3237e94355da0e4f46b20a00d19f8906aa

Download Submit
memory/2600-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2600-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2600-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2600-15-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/2600-16-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2600-1-0x0000000000469000-0x000000000046E000-memory.dmp

Filesize
20KB

Download
memory/2600-334-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2600-335-0x0000000000469000-0x000000000046E000-memory.dmp

Filesize
20KB

Download
memory/2876-17-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-338-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-21-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-18-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-19-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-317-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2876-316-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2876-315-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-24-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-25-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-26-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-23-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-340-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-13-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2876-343-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-14-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2876-365-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-367-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-370-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-389-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2876-390-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2876-391-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download