a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e

Resubmissions

11/09/2024, 19:15

240911-xyhb5axgpl 8

11/09/2024, 19:12

240911-xwla1ayblb 8

Analysis

max time kernel
359s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 19:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Size

1.0MB
MD5

7c3e5f4c1e0e14f51b6f5a19ba6e1bae
SHA1

73745c924a5f61fe1f9e489bbe6534c5c95c2452
SHA256

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e
SHA512

e1416d9005285894b68aec509fd86ee5b8c320f80da3db8fdd8bce708fd0cd8fff2ce1c6fb9017c359b9169421be28a646f8179b78e79387da18c86d1eb56a5b
SSDEEP

24576:yJeo26y1eqAyY6fNC1TvD3v8BsOQRsnbP5u:K92NC1TLz0bPs

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe
2764	powershell.exe
2716	powershell.exe
1640	powershell.exe
2016	powershell.exe
1116	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1800	Setup.exe
1264	Setup.exe

Loads dropped DLL 16 IoCs

pid	Process
1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3012	1800	WerFault.exe	31
632	1264	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3036	powershell.exe
2764	powershell.exe
2716	powershell.exe
1640	powershell.exe
2016	powershell.exe
1116	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1668 wrote to memory of 1800	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	31
PID 1800 wrote to memory of 2484	1800	Setup.exe	32
PID 1800 wrote to memory of 2484	1800	Setup.exe	32
PID 1800 wrote to memory of 2484	1800	Setup.exe	32
PID 1800 wrote to memory of 2484	1800	Setup.exe	32
PID 2484 wrote to memory of 3036	2484	cmd.exe	34
PID 2484 wrote to memory of 3036	2484	cmd.exe	34
PID 2484 wrote to memory of 3036	2484	cmd.exe	34
PID 2484 wrote to memory of 3036	2484	cmd.exe	34
PID 1800 wrote to memory of 2708	1800	Setup.exe	35
PID 1800 wrote to memory of 2708	1800	Setup.exe	35
PID 1800 wrote to memory of 2708	1800	Setup.exe	35
PID 1800 wrote to memory of 2708	1800	Setup.exe	35
PID 2708 wrote to memory of 2764	2708	cmd.exe	37
PID 2708 wrote to memory of 2764	2708	cmd.exe	37
PID 2708 wrote to memory of 2764	2708	cmd.exe	37
PID 2708 wrote to memory of 2764	2708	cmd.exe	37
PID 1800 wrote to memory of 2572	1800	Setup.exe	38
PID 1800 wrote to memory of 2572	1800	Setup.exe	38
PID 1800 wrote to memory of 2572	1800	Setup.exe	38
PID 1800 wrote to memory of 2572	1800	Setup.exe	38
PID 2572 wrote to memory of 2716	2572	cmd.exe	40
PID 2572 wrote to memory of 2716	2572	cmd.exe	40
PID 2572 wrote to memory of 2716	2572	cmd.exe	40
PID 2572 wrote to memory of 2716	2572	cmd.exe	40
PID 1800 wrote to memory of 3012	1800	Setup.exe	41
PID 1800 wrote to memory of 3012	1800	Setup.exe	41
PID 1800 wrote to memory of 3012	1800	Setup.exe	41
PID 1800 wrote to memory of 3012	1800	Setup.exe	41
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1668 wrote to memory of 1264	1668	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	43
PID 1264 wrote to memory of 2164	1264	Setup.exe	44
PID 1264 wrote to memory of 2164	1264	Setup.exe	44
PID 1264 wrote to memory of 2164	1264	Setup.exe	44
PID 1264 wrote to memory of 2164	1264	Setup.exe	44
PID 2164 wrote to memory of 1640	2164	cmd.exe	46
PID 2164 wrote to memory of 1640	2164	cmd.exe	46
PID 2164 wrote to memory of 1640	2164	cmd.exe	46
PID 2164 wrote to memory of 1640	2164	cmd.exe	46
PID 1264 wrote to memory of 980	1264	Setup.exe	47
PID 1264 wrote to memory of 980	1264	Setup.exe	47
PID 1264 wrote to memory of 980	1264	Setup.exe	47
PID 1264 wrote to memory of 980	1264	Setup.exe	47
PID 980 wrote to memory of 2016	980	cmd.exe	49
PID 980 wrote to memory of 2016	980	cmd.exe	49
PID 980 wrote to memory of 2016	980	cmd.exe	49
PID 980 wrote to memory of 2016	980	cmd.exe	49
PID 1264 wrote to memory of 776	1264	Setup.exe	50
PID 1264 wrote to memory of 776	1264	Setup.exe	50
PID 1264 wrote to memory of 776	1264	Setup.exe	50
PID 1264 wrote to memory of 776	1264	Setup.exe	50
PID 776 wrote to memory of 1116	776	cmd.exe	52
PID 776 wrote to memory of 1116	776	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
"C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 364
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
46678a8f3f7f6d0c345880505f9e39be

SHA1
98aea57b2a9938699d413a51d0327b496ad0a6c5

SHA256
a1072555a6e460c0115a17c0d20225b0868a1f617a0fa088181293b74145705e

SHA512
fe67731a1daf5be7968888881350d51b615b65fedbc06872eed2ed5eb0738f7c778618bd8915357b13b918a2bd3be868c8924650169e732ba24225b73e319cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0f3350a43ebe108eddcb773843fd0b75

SHA1
52966d10dfbbbdf00fdadb898251774437d1c58a

SHA256
4295945650671fe3aa0d0e4f5b8ab6f0fb71a32c2f112dcb2ccd9c3ea3cc4774

SHA512
518dcd8b4350499699428ec9dcbe1443a60f035858c8d021dcd2f682d0dc580fff5aca0bedfaa0f14ad7910cf7bcb6e7da1fc9d3011f6e939f8f37d64462fa1a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
888KB

MD5
ae9bb8668b8afd40c9305886c6904399

SHA1
810113c11e98789cb607b897a5f144937083d692

SHA256
f80a3287b4e3de00f4b957a0f4e05b9f0aa181268dd041e94610cdac38246718

SHA512
3ac907f4defe0d8b8c37ffee305c13d4340667e2822ff748391121f775732b1d36d73dfd41bec18032ff113a80cad18bc319a0153541af2d8969b2a5aa174623

Download Submit