Overview

overview

8

Static

static

3

b8986771df...2N.exe

windows7-x64

8

b8986771df...2N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    64s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 20:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b8986771df334227d1de04468a12b4518a83b60943e3254f8709c5b6ff8b61a2N.exe

  • Size

    4.8MB

  • MD5

    a2198b8b0989f2b39155cd89a0bf7810

  • SHA1

    2e9b90d7908c6016b086127e162ca6819104d1ad

  • SHA256

    b8986771df334227d1de04468a12b4518a83b60943e3254f8709c5b6ff8b61a2

  • SHA512

    b841ea8f9af5c83a3b3f47843f0e23b77eaca02630ef4f99be5e003222be946c2c23d8d8a212e2bed9ff4b8e4497b54b3c2ae7fcdb0e56450d56481e5fac80fe

  • SSDEEP

    98304:1MRLheh139CWlG0ysnlyVBoPg8eGxxclZ37J8NXuRoYEbBLj:iIhRgWMqEj76clZ3N16Bf

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8986771df334227d1de04468a12b4518a83b60943e3254f8709c5b6ff8b61a2N.exe
    "C:\Users\Admin\AppData\Local\Temp\b8986771df334227d1de04468a12b4518a83b60943e3254f8709c5b6ff8b61a2N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\ACCApi'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\system32\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\ProgramData\ACCApi\apscit.exe" /st 20:12 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\ProgramData\ACCApi\apscit.exe
      "C:\ProgramData\ACCApi\apscit.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:2232
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp62C8.tmp.cmd""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\system32\timeout.exe
        timeout 6
        3⤵
        • Delays execution with timeout.exe
        PID:2496

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\ACCApi\apscit.exe
          Filesize

          5.3MB

          MD5

          eea37e9f6a33bba6824b4d0463a6b96a

          SHA1

          62775eacac4be50158da93ad33666bb9d3dc5cce

          SHA256

          4d03ebe31398330d6fb047895a0a7d516dc107edee74784e20e791ee18d8f66b

          SHA512

          c73b3f0feae5eb1abee2fcfc67e01d5123b40568b003e23340f8f0e01f6d77f2de8090991d7825b0ad44d376ad4b5d81a7ecccf600dfc34693c9775b8315204b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp62C8.tmp.cmd
          Filesize

          217B

          MD5

          6f5586f4217cf562fd8382c7d425de07

          SHA1

          5f99686d6eaed86eb42b7a07c58abfa3aa1cc347

          SHA256

          51efaa497c8fd4589af433496cf8e08114dd3392cdd39eee58e8dd52cf5e5e81

          SHA512

          f09cb3d2ae3766ef16d9bd17e64b2e3b89b8fe296d97b879b79ef16f4d5cf69c2153c903c0a7a46a2ebeec32ce6c130e96d93a64a7bbea39247f3f20923fad13

          Download Submit

        • memory/1716-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1716-1-0x0000000001310000-0x0000000001388000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2232-20-0x0000000001300000-0x0000000001378000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2640-9-0x0000000002A50000-0x0000000002AD0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2640-21-0x000000001B810000-0x000000001BAF2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2640-22-0x0000000001E60000-0x0000000001E68000-memory.dmp

          Filesize

          32KB

          Download