Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 05:12

General

  • Target

    NEW PO - 4067543012.exe

  • Size

    854KB

  • MD5

    b15b83f0aca6375277cfd79c3ab96fa1

  • SHA1

    87ef96c2bd2245075082fe695eb164443eff637a

  • SHA256

    cea7e7e11c4340ef167fa673fd12625b48dc1bd5a6b34653f4986b92659a9886

  • SHA512

    38cd17a629867290c2a4305520148be0b742c81256264abd552db1a64318e291bc9a61eb4f06e7c70f5984a4ea4db5f528726684b497a7125304be224a53219a

  • SSDEEP

    24576:yeq3Zk1T8Fvg3K13rxlmGi+z/3hj+ZqVF4+0cD0aWLlYjHDboU:51IF4erVi8fFZpDbWLlYznf

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sYpAHmjKhppP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sYpAHmjKhppP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE734.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
      2⤵
        PID:2964
      • C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe
        "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
        2⤵
          PID:2312
        • C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe
          "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
          2⤵
            PID:2724
          • C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe
            "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
            2⤵
              PID:2888
            • C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe
              "C:\Users\Admin\AppData\Local\Temp\NEW PO - 4067543012.exe"
              2⤵
                PID:2756

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpE734.tmp

              Filesize

              1KB

              MD5

              3344c8036a1cf194fac069c74fc03f0a

              SHA1

              dfa6bfb9151fe2df2318ed5157dd75640d969514

              SHA256

              af7a4f64e8bff6f00ba9fd8d9334d89c5ec0aab913debcbac5eb866d08d53af9

              SHA512

              ce19de96eb0593c61db28fea3585444d6ceee362cfbce56af97abf885c96f787688d4881eda8bff892c6e8d794fbdb0470313210e822ddfbf444facde51f153e

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

              Filesize

              7KB

              MD5

              8d5d27092a8aa8d8969e1b48cf302ae3

              SHA1

              bd63f1dd22ee8c1982af92710f884f968abb146e

              SHA256

              f90071b74639656a889b18f8e78d11dd26e40fce8480fe46a9cea1b7a58b0f32

              SHA512

              da43a977bf65df34a37bc5e64cb7eac9e21087cd5a6bc7f8b6a019449b95e4c2b56c53283a19c6c19b97d2141199430105c496a279ef8af5a3b85f91e6733713

            • memory/1700-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

              Filesize

              4KB

            • memory/1700-1-0x0000000000360000-0x000000000043C000-memory.dmp

              Filesize

              880KB

            • memory/1700-2-0x0000000074B60000-0x000000007524E000-memory.dmp

              Filesize

              6.9MB

            • memory/1700-3-0x0000000000490000-0x000000000049E000-memory.dmp

              Filesize

              56KB

            • memory/1700-4-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

              Filesize

              4KB

            • memory/1700-5-0x0000000074B60000-0x000000007524E000-memory.dmp

              Filesize

              6.9MB

            • memory/1700-6-0x0000000005DC0000-0x0000000005E4A000-memory.dmp

              Filesize

              552KB

            • memory/1700-19-0x0000000074B60000-0x000000007524E000-memory.dmp

              Filesize

              6.9MB