a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e

Resubmissions

11-09-2024 19:15

240911-xyhb5axgpl 8

11-09-2024 19:12

240911-xwla1ayblb 8

Analysis

max time kernel
316s
max time network
317s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Size

1.0MB
MD5

7c3e5f4c1e0e14f51b6f5a19ba6e1bae
SHA1

73745c924a5f61fe1f9e489bbe6534c5c95c2452
SHA256

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e
SHA512

e1416d9005285894b68aec509fd86ee5b8c320f80da3db8fdd8bce708fd0cd8fff2ce1c6fb9017c359b9169421be28a646f8179b78e79387da18c86d1eb56a5b
SSDEEP

24576:yJeo26y1eqAyY6fNC1TvD3v8BsOQRsnbP5u:K92NC1TLz0bPs

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
3024	powershell.exe
2400	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
944	Setup.exe

Loads dropped DLL 8 IoCs

pid	Process
2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	944	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2784	powershell.exe
3024	powershell.exe
2400	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 2880 wrote to memory of 944	2880	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	29
PID 944 wrote to memory of 2852	944	Setup.exe	30
PID 944 wrote to memory of 2852	944	Setup.exe	30
PID 944 wrote to memory of 2852	944	Setup.exe	30
PID 944 wrote to memory of 2852	944	Setup.exe	30
PID 2852 wrote to memory of 2784	2852	cmd.exe	32
PID 2852 wrote to memory of 2784	2852	cmd.exe	32
PID 2852 wrote to memory of 2784	2852	cmd.exe	32
PID 2852 wrote to memory of 2784	2852	cmd.exe	32
PID 944 wrote to memory of 2948	944	Setup.exe	33
PID 944 wrote to memory of 2948	944	Setup.exe	33
PID 944 wrote to memory of 2948	944	Setup.exe	33
PID 944 wrote to memory of 2948	944	Setup.exe	33
PID 2948 wrote to memory of 3024	2948	cmd.exe	35
PID 2948 wrote to memory of 3024	2948	cmd.exe	35
PID 2948 wrote to memory of 3024	2948	cmd.exe	35
PID 2948 wrote to memory of 3024	2948	cmd.exe	35
PID 944 wrote to memory of 2716	944	Setup.exe	36
PID 944 wrote to memory of 2716	944	Setup.exe	36
PID 944 wrote to memory of 2716	944	Setup.exe	36
PID 944 wrote to memory of 2716	944	Setup.exe	36
PID 2716 wrote to memory of 2400	2716	cmd.exe	38
PID 2716 wrote to memory of 2400	2716	cmd.exe	38
PID 2716 wrote to memory of 2400	2716	cmd.exe	38
PID 2716 wrote to memory of 2400	2716	cmd.exe	38
PID 944 wrote to memory of 2052	944	Setup.exe	39
PID 944 wrote to memory of 2052	944	Setup.exe	39
PID 944 wrote to memory of 2052	944	Setup.exe	39
PID 944 wrote to memory of 2052	944	Setup.exe	39

C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
"C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 692
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e54a75f474ba64d7bf189110e7ccb5b8

SHA1
3dc4f0653729928d489ff75e278f789e07c190f3

SHA256
cf893b857503abf0f108735c8fc779354f76d52a2cb34e3f732fe2a330dca7d2

SHA512
56c3ff78ac19b831a942345d01fcba5bad0960deb46860612f0d1ed1b436974c1ce630e11fa0971dcf2ac25a2cdbddb7921ab30ea3077d42aaf7fe9eea6c6540

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
888KB

MD5
ae9bb8668b8afd40c9305886c6904399

SHA1
810113c11e98789cb607b897a5f144937083d692

SHA256
f80a3287b4e3de00f4b957a0f4e05b9f0aa181268dd041e94610cdac38246718

SHA512
3ac907f4defe0d8b8c37ffee305c13d4340667e2822ff748391121f775732b1d36d73dfd41bec18032ff113a80cad18bc319a0153541af2d8969b2a5aa174623

Download Submit