Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
Resource
win10v2004-20240802-en
General
-
Target
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
-
Size
640KB
-
MD5
61217d7c7664881d1d97df8a3c539cc4
-
SHA1
c6f020de1f91d2e82883ad60056429f9ef20684a
-
SHA256
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db
-
SHA512
aec3b2061111850e384e847720cf572291d7e9eed8a012345ba34ac855396e1422ce9b8362efe85d857daf08cb63d9df0397daa7d127e08b62ab85fa7cb4a028
-
SSDEEP
12288:S0gFxlwGD/ERhZ3YtrWPciSFxUTjKjdAwDxnmYXuFGDDhXH:i7zMhhur1iSOjsdAMxmIAO
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2264 powershell.exe 860 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2652 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 2264 powershell.exe 860 powershell.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 860 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2264 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 31 PID 1320 wrote to memory of 2264 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 31 PID 1320 wrote to memory of 2264 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 31 PID 1320 wrote to memory of 2264 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 31 PID 1320 wrote to memory of 860 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 33 PID 1320 wrote to memory of 860 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 33 PID 1320 wrote to memory of 860 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 33 PID 1320 wrote to memory of 860 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 33 PID 1320 wrote to memory of 2652 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 35 PID 1320 wrote to memory of 2652 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 35 PID 1320 wrote to memory of 2652 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 35 PID 1320 wrote to memory of 2652 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 35 PID 1320 wrote to memory of 2852 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 37 PID 1320 wrote to memory of 2852 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 37 PID 1320 wrote to memory of 2852 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 37 PID 1320 wrote to memory of 2852 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 37 PID 1320 wrote to memory of 2928 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 38 PID 1320 wrote to memory of 2928 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 38 PID 1320 wrote to memory of 2928 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 38 PID 1320 wrote to memory of 2928 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 38 PID 1320 wrote to memory of 2880 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 39 PID 1320 wrote to memory of 2880 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 39 PID 1320 wrote to memory of 2880 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 39 PID 1320 wrote to memory of 2880 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 39 PID 1320 wrote to memory of 2920 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 40 PID 1320 wrote to memory of 2920 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 40 PID 1320 wrote to memory of 2920 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 40 PID 1320 wrote to memory of 2920 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 40 PID 1320 wrote to memory of 2864 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 41 PID 1320 wrote to memory of 2864 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 41 PID 1320 wrote to memory of 2864 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 41 PID 1320 wrote to memory of 2864 1320 d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mtZujz.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mtZujz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp17E4.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"2⤵PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"2⤵PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"2⤵PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"2⤵PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"C:\Users\Admin\AppData\Local\Temp\d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe"2⤵PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5705096f32ca04a1667cb6f3526eb5de3
SHA1a36d9e286f485ec5b37e84fbffd2cc8813ba29cc
SHA256d66b4e0c5dfeb04b1e597b056ba527153d7857c9ab8edadf0af3ba17ce96702d
SHA512a17d815aae0138fc27d334ffb10ec7218096cdae94ab3462821ab795b6f9b6f778c7a7165c5c517b0bb71a601e631fe302677f35e88079976ed1e737f7ae9b0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\42OQS2W6YOGG3T1COCXJ.temp
Filesize7KB
MD5894daeb089270d121026b8c4c437262b
SHA131ccc6322c8b821493427ffa75d430caf1915b6d
SHA25646efb6a62229be6422d0d001efd447d52bb69f3e9b44e5fa8ae198df4bfa90d3
SHA5126c15868750706a522c08b657642073faf290abcfc21a7754ed340dc15bbef74c6be0591d0e57055f00e0fa7341904b5051b2818f9cfbcbd2b1a9413142225fe2