5cfb623fd29edfb21bc7fb3d734f2e6ebb7f151e12d2fbcb61bafefdfccb24c6

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AscoValveShanghaiOrderPO011024.exe
Size

783KB
MD5

11ff8e45351b4fef0f7e723c1b1e04f1
SHA1

ff595a4ea95aba1cca52de553949e6a73c19c265
SHA256

5cfb623fd29edfb21bc7fb3d734f2e6ebb7f151e12d2fbcb61bafefdfccb24c6
SHA512

801f54add34c294f4bdf95ae8ebe8ab603fa7be88124a78fbf177e10e4a53a599d481b173fb4cf4f40268aa16aa5124289ad26c6f0c0230637c1d5b763155487
SSDEEP

6144:qZZSGZ1pOTD97kVoluxSnQJ2UYbbnEqa57lW1ChtCxxE5jbWs5E19Cd0C7vvGm97:qzvZ1pSptYSQJK/EtdCsPGsdPvvGm9h

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
2740	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AscoValveShanghaiOrderPO011024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2740	powershell.exe
2224	powershell.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe
2532	AscoValveShanghaiOrderPO011024.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	AscoValveShanghaiOrderPO011024.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2224	2532	AscoValveShanghaiOrderPO011024.exe	30
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2740	2532	AscoValveShanghaiOrderPO011024.exe	32
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2796	2532	AscoValveShanghaiOrderPO011024.exe	34
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2624	2532	AscoValveShanghaiOrderPO011024.exe	36
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2620	2532	AscoValveShanghaiOrderPO011024.exe	37
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2856	2532	AscoValveShanghaiOrderPO011024.exe	38
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2732	2532	AscoValveShanghaiOrderPO011024.exe	39
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40
PID 2532 wrote to memory of 2640	2532	AscoValveShanghaiOrderPO011024.exe	40

C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe
"C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UJKtuGFFwoBmnd.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UJKtuGFFwoBmnd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB71F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe
  "C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe
  "C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe
  "C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe
  "C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe
  "C:\Users\Admin\AppData\Local\Temp\AscoValveShanghaiOrderPO011024.exe"
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB71F.tmp

Filesize
1KB

MD5
44814e223c579b7a49aa333ead0a4901

SHA1
d070c7e78849908a39ac1e96bc4fa181ea28d3e7

SHA256
f93c28b2dac6f54abee971e4b585b36b4c40b39998a8a057393479d2897e004c

SHA512
508145b63a07b0e2b17c94a9d24577d0afa348b9d5396ac91d37bd226af563f335463d004e83ffea9d0ebbfff26fa56328c3d1e3d7c397f74dfd3aac71781449

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
77943b75555bfa0a7d8e868213c94fe7

SHA1
a366eb61550855e3059bc97900dbafc7485e1d2e

SHA256
90f21a8f62e685b906bc498916f27f98942c29677863646b643a815c1384aabb

SHA512
072f2e974d3bd6624f54e932748a41dece700d93b1a3fca6852cade97142c79823f3932e8b98f6d2dfd2613dba91e59e634f98128c57b922e419658d6ceb1d36

Download Submit
memory/2532-0-0x0000000000370000-0x000000000043A000-memory.dmp

Filesize
808KB

Download
memory/2532-1-0x0000000005520000-0x00000000055B8000-memory.dmp

Filesize
608KB

Download
memory/2532-2-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2532-3-0x0000000006100000-0x0000000006182000-memory.dmp

Filesize
520KB

Download