7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
Size

1.0MB
MD5

f2e67a1bef67fa4f49dce815b93eeefb
SHA1

1b75d6182523dc35cf13e5e9430194196fb44aeb
SHA256

7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d
SHA512

d0b2dd442d20921c63716eb5974fcd450d3ff800bbcb9dae84efc1743f0dcd8784c72debaa86841fa90d8a3c1e727d194adc022b4513484d9820777ceef4b7a0
SSDEEP

24576:R1iZQZd2PbZwVslxyAcM3wpGVkYZPGX2lxxuQQGnI:zUZTl4Ad31VkYhs+QtP

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1060	powershell.exe
2700	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2700	powershell.exe
1060	powershell.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1060	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	30
PID 2960 wrote to memory of 1060	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	30
PID 2960 wrote to memory of 1060	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	30
PID 2960 wrote to memory of 1060	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	30
PID 2960 wrote to memory of 2700	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	32
PID 2960 wrote to memory of 2700	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	32
PID 2960 wrote to memory of 2700	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	32
PID 2960 wrote to memory of 2700	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	32
PID 2960 wrote to memory of 2796	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	34
PID 2960 wrote to memory of 2796	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	34
PID 2960 wrote to memory of 2796	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	34
PID 2960 wrote to memory of 2796	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	34
PID 2960 wrote to memory of 2752	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	36
PID 2960 wrote to memory of 2752	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	36
PID 2960 wrote to memory of 2752	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	36
PID 2960 wrote to memory of 2752	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	36
PID 2960 wrote to memory of 2588	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	37
PID 2960 wrote to memory of 2588	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	37
PID 2960 wrote to memory of 2588	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	37
PID 2960 wrote to memory of 2588	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	37
PID 2960 wrote to memory of 2584	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	38
PID 2960 wrote to memory of 2584	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	38
PID 2960 wrote to memory of 2584	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	38
PID 2960 wrote to memory of 2584	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	38
PID 2960 wrote to memory of 1916	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	39
PID 2960 wrote to memory of 1916	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	39
PID 2960 wrote to memory of 1916	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	39
PID 2960 wrote to memory of 1916	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	39
PID 2960 wrote to memory of 2756	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	40
PID 2960 wrote to memory of 2756	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	40
PID 2960 wrote to memory of 2756	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	40
PID 2960 wrote to memory of 2756	2960	7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe	40

C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
"C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qmXhNnW.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmXhNnW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
  "C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
  "C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
  2⤵
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
  "C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
  "C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe
  "C:\Users\Admin\AppData\Local\Temp\7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d.exe"
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp

Filesize
1KB

MD5
b042d1eec732a1a4cbff80607eda9a5f

SHA1
31ead7ed8626855e357a20b6c5bbb670bc1d0aae

SHA256
3b0763ebe1d7dbaa6f8973d4f034d45c7b0cc1938d7d81e9d0b9796edb54bd50

SHA512
579629b2ea0572cf6d2ae705bb7602e65cb1d0a29f9f0d8daac08002c41224c4226022a687e2f6862385a1c6969a703bef69990d811861765a0e2068ecc508d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3VM1YIZQYWSH6QFSQJHK.temp

Filesize
7KB

MD5
b372ec0c3c5f9e5f5cfffd7e11f341db

SHA1
81a70a360116acf6a870da980a9e2615b71a05ca

SHA256
a039602045db669365fe2f2afe72697ae04a17cce47cfab63802aa1f04e242d6

SHA512
077cedb85837914984fed4c4b00e6322a03bc422577588f45f2dc93ea77f4cfbb31fd31970f0b2c9382fcd0290162b2ea89d5e07f94e14b06956da9d0b06aab9

Download Submit
memory/2960-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x0000000000390000-0x0000000000496000-memory.dmp

Filesize
1.0MB

Download
memory/2960-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-3-0x0000000004FF0000-0x00000000050CE000-memory.dmp

Filesize
888KB

Download
memory/2960-4-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/2960-5-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2960-6-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-7-0x00000000050D0000-0x0000000005190000-memory.dmp

Filesize
768KB

Download
memory/2960-20-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download