75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
Size

692KB
MD5

f546c5045d223d52d10a11da4a9cf625
SHA1

fb66509226ffdb1885770151dd6b19ecaafda5ad
SHA256

75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9
SHA512

5c2f8fc55e59b735173faf3178000ef7107da797b6fb9cc376fa1830067fe5d2f2606a5a19b6ec42f12614294eed0201e065913d11a6fb7954b187314d14edce
SSDEEP

12288:78E8rixlaIH2qwgSUopK4kAC43a+f6fXmWOHsOuNicMJQckdmmdbcQTwnSkR:77fxlaIGgVQ1CxR2WOHsOuFxm8wnh

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
844	powershell.exe
2196	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
2196	powershell.exe
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 844	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	31
PID 2276 wrote to memory of 844	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	31
PID 2276 wrote to memory of 844	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	31
PID 2276 wrote to memory of 844	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	31
PID 2276 wrote to memory of 2196	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	33
PID 2276 wrote to memory of 2196	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	33
PID 2276 wrote to memory of 2196	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	33
PID 2276 wrote to memory of 2196	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	33
PID 2276 wrote to memory of 2232	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	35
PID 2276 wrote to memory of 2232	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	35
PID 2276 wrote to memory of 2232	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	35
PID 2276 wrote to memory of 2232	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	35
PID 2276 wrote to memory of 2952	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	37
PID 2276 wrote to memory of 2952	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	37
PID 2276 wrote to memory of 2952	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	37
PID 2276 wrote to memory of 2952	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	37
PID 2276 wrote to memory of 2688	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	38
PID 2276 wrote to memory of 2688	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	38
PID 2276 wrote to memory of 2688	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	38
PID 2276 wrote to memory of 2688	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	38
PID 2276 wrote to memory of 2700	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	39
PID 2276 wrote to memory of 2700	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	39
PID 2276 wrote to memory of 2700	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	39
PID 2276 wrote to memory of 2700	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	39
PID 2276 wrote to memory of 2696	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	40
PID 2276 wrote to memory of 2696	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	40
PID 2276 wrote to memory of 2696	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	40
PID 2276 wrote to memory of 2696	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	40
PID 2276 wrote to memory of 2836	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	41
PID 2276 wrote to memory of 2836	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	41
PID 2276 wrote to memory of 2836	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	41
PID 2276 wrote to memory of 2836	2276	75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe	41

C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
"C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\baGhgi.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\baGhgi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6DD.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
  "C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
  "C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
  "C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
  "C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe
  "C:\Users\Admin\AppData\Local\Temp\75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9.exe"
  2⤵
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF6DD.tmp

Filesize
1KB

MD5
1bfbffa119a6b4f19e1d521c9897781c

SHA1
6a7298a1bb1f1e097762811eb3adcd216ac74ebd

SHA256
00a1b37b3fc6fdc8bb25175035d20b2baef1b32bb7b864c7a575c946955ab8ad

SHA512
318add85170fc6feb02f713c3ae37e071a956adb0b4414e546de06c277a6b399c2273f4e1f2dc15d968adbad9e18ac1d7108a36231b39133624ce79d2cf18839

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SVI13BTLJOQGQDFXOEDM.temp

Filesize
7KB

MD5
2458eed7c06a91e2df42b7fb798efbfe

SHA1
d0ee4a2f4f3854a54fde243007078e37945c7193

SHA256
73f1f0c8b7f2b719ab124d5a656c28da0d05d922c51ffa846c18c3bf2aa89ad4

SHA512
f08ccda6c8f9c70244a22bcc13b5f9b81219a60203ca4aedfb012102554dea0e4da056087f1972a3da8e09221be5fd45bb161d8fe4518dd4d6010724ea9bdf14

Download Submit
memory/2276-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x00000000003E0000-0x000000000048E000-memory.dmp

Filesize
696KB

Download
memory/2276-2-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-3-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2276-4-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/2276-5-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-6-0x00000000021C0000-0x0000000002222000-memory.dmp

Filesize
392KB

Download
memory/2276-19-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download