Overview

overview

8

Static

static

3

8b1cd2b248...0N.exe

windows7-x64

8

8b1cd2b248...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    64s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 21:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8b1cd2b2487837483858606adc6a3b80N.exe

  • Size

    3.5MB

  • MD5

    8b1cd2b2487837483858606adc6a3b80

  • SHA1

    55682248b0dd2e07897fa521c83833a5c8e276d8

  • SHA256

    2ca447137bccccda45ac2f8d372e2a79020b7eba06e04316aea56a089887afac

  • SHA512

    57dff392b2855df5bff54919a7f15531c36fc381f4c2df7b7bad8eb9dd29a37195e6951ccf39bf3565b31cbbd4d96a87fb6886de85c3f9a9ecd482e5c01673e5

  • SSDEEP

    98304:h/FBcFwihwtTx3h9OD4CpygBIF+EOT10XN:xFBpi+xjW4CppEOT2d

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b1cd2b2487837483858606adc6a3b80N.exe
    "C:\Users\Admin\AppData\Local\Temp\8b1cd2b2487837483858606adc6a3b80N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ACCApi'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Local\Temp\ACCApi\apihost.exe" /st 21:36 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2088
    • C:\Users\Admin\AppData\Local\Temp\ACCApi\apihost.exe
      "C:\Users\Admin\AppData\Local\Temp\ACCApi\apihost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD124.tmp.cmd""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\timeout.exe
        timeout 6
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2724

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpD124.tmp.cmd
          Filesize

          185B

          MD5

          1522d46b37fcc9fed56143cbc262d152

          SHA1

          c781ff3c72af04ebcc78e2be5a5429810cfb926e

          SHA256

          a67b8a3fde6bd34fa58f5d055f364da8fe588ff852c5e365138a34da103dff0a

          SHA512

          36383bc8cd623130f33b8c54e0600bf1882f18761395dd711f40cff2070eb42163068db447aab1e78d6e89775a75da3b6cd8c26e77ecc372cf3258a37d18c77d

          Download Submit

        • \Users\Admin\AppData\Local\Temp\ACCApi\apihost.exe
          Filesize

          3.8MB

          MD5

          b74c9b33ff479bb743d3eb74bd7075c7

          SHA1

          f2e081702dd0ff1230559d6e4b32d628066cab43

          SHA256

          7cd421ce10f3e1aa01bc724a2d74beb3f17741fc401ada7c3f031fc0cbb7f917

          SHA512

          7d641106a20f8dfda1e1b81ec7c2d089a8a2272f760d473b883ff0f3d5a4dc06928e2e2fd69704fffeafe5702fd9f89faef2c492ea3e18b8043d3309ca412e55

          Download Submit

        • memory/2228-0-0x000000007453E000-0x000000007453F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2228-1-0x00000000008F0000-0x0000000000908000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2308-17-0x0000000000F10000-0x0000000000F28000-memory.dmp

          Filesize

          96KB

          Download