Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:55
Static task
static1
Behavioral task
behavioral1
Sample
50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe
Resource
win10v2004-20240802-en
General
-
Target
50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe
-
Size
1.6MB
-
MD5
4b98ac287e67eae4030bbc0c01a7a300
-
SHA1
f3faa45b998f0950b4718339e50ec09c6663079b
-
SHA256
50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27ac
-
SHA512
dbbbe9d57065f0acc4545758786cec67c10dc86e1f79c5ee26a2fe5b29fe427285ca0a158cc81523b261ca5ff2993bd22d01c524d2078183b169aa609a4b85fb
-
SSDEEP
49152:DAodtaG9kS2U84B+FLan9k5TRM9zleVjPSf:h/B1aS
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1636 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2232 set thread context of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs regedit.exe 1 IoCs
pid Process 2712 regedit.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1636 powershell.exe 2168 wmplayer.exe 2168 wmplayer.exe 2168 wmplayer.exe 2168 wmplayer.exe 2168 wmplayer.exe 2168 wmplayer.exe 2168 wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2232 wrote to memory of 1636 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 32 PID 2232 wrote to memory of 1636 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 32 PID 2232 wrote to memory of 1636 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 32 PID 2232 wrote to memory of 784 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 34 PID 2232 wrote to memory of 784 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 34 PID 2232 wrote to memory of 784 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 34 PID 2232 wrote to memory of 784 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 34 PID 2232 wrote to memory of 784 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 34 PID 2232 wrote to memory of 2800 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 35 PID 2232 wrote to memory of 2800 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 35 PID 2232 wrote to memory of 2800 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 35 PID 2232 wrote to memory of 2800 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 35 PID 2232 wrote to memory of 2800 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 35 PID 2232 wrote to memory of 2796 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 36 PID 2232 wrote to memory of 2796 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 36 PID 2232 wrote to memory of 2796 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 36 PID 2232 wrote to memory of 2796 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 36 PID 2232 wrote to memory of 2796 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 36 PID 2232 wrote to memory of 3044 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 37 PID 2232 wrote to memory of 3044 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 37 PID 2232 wrote to memory of 3044 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 37 PID 2232 wrote to memory of 3044 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 37 PID 2232 wrote to memory of 3044 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 37 PID 2232 wrote to memory of 2720 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 38 PID 2232 wrote to memory of 2720 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 38 PID 2232 wrote to memory of 2720 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 38 PID 2232 wrote to memory of 2720 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 38 PID 2232 wrote to memory of 2720 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 38 PID 2232 wrote to memory of 2712 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 39 PID 2232 wrote to memory of 2712 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 39 PID 2232 wrote to memory of 2712 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 39 PID 2232 wrote to memory of 2712 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 39 PID 2232 wrote to memory of 2712 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 39 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2832 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 40 PID 2232 wrote to memory of 2700 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 41 PID 2232 wrote to memory of 2700 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 41 PID 2232 wrote to memory of 2700 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 41 PID 2232 wrote to memory of 2700 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 41 PID 2232 wrote to memory of 2700 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 41 PID 2232 wrote to memory of 2860 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 42 PID 2232 wrote to memory of 2860 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 42 PID 2232 wrote to memory of 2860 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 42 PID 2232 wrote to memory of 2860 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 42 PID 2232 wrote to memory of 2860 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 42 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43 PID 2232 wrote to memory of 2168 2232 50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe"C:\Users\Admin\AppData\Local\Temp\50048e6f2c92f251bfc87da636dbc73080669bf84b8c5737db5af7b4bd4c27acN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵PID:784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:2800
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵PID:3044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2720
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:2832
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2700
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:2860
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168
-