54a3ea040e85099241ba73ecb473904856aa94c590a42304cc5449b98bada101

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telco 32pcs New Purchase Order.exe
Size

968KB
MD5

8d310f2e831174aac8eaa5eba20e87ad
SHA1

600ef55976b69523c7973c5d0aeeb91f3fdcf97e
SHA256

457b6241f125cd8c4f030e7b7f05829b89a5e831f624225cb70ea272ecd88876
SHA512

a8a58d69131ae7b6736af515ad800eebe123df03c8c5b909e24ae64e382f310835f984d045f97aabe11a0f489e614b1d8d516add24d9cfde6f261ca88af75839
SSDEEP

24576:izFcFCG6ra2QIi2zGc9rwZTkfrw6bMfR1q:izFcsG3ZDc9riI0q

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
2452	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Telco 32pcs New Purchase Order.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2692	Telco 32pcs New Purchase Order.exe
2452	powershell.exe
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	Telco 32pcs New Purchase Order.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2556	2692	Telco 32pcs New Purchase Order.exe	31
PID 2692 wrote to memory of 2556	2692	Telco 32pcs New Purchase Order.exe	31
PID 2692 wrote to memory of 2556	2692	Telco 32pcs New Purchase Order.exe	31
PID 2692 wrote to memory of 2556	2692	Telco 32pcs New Purchase Order.exe	31
PID 2692 wrote to memory of 2452	2692	Telco 32pcs New Purchase Order.exe	33
PID 2692 wrote to memory of 2452	2692	Telco 32pcs New Purchase Order.exe	33
PID 2692 wrote to memory of 2452	2692	Telco 32pcs New Purchase Order.exe	33
PID 2692 wrote to memory of 2452	2692	Telco 32pcs New Purchase Order.exe	33
PID 2692 wrote to memory of 2056	2692	Telco 32pcs New Purchase Order.exe	34
PID 2692 wrote to memory of 2056	2692	Telco 32pcs New Purchase Order.exe	34
PID 2692 wrote to memory of 2056	2692	Telco 32pcs New Purchase Order.exe	34
PID 2692 wrote to memory of 2056	2692	Telco 32pcs New Purchase Order.exe	34
PID 2692 wrote to memory of 1744	2692	Telco 32pcs New Purchase Order.exe	37
PID 2692 wrote to memory of 1744	2692	Telco 32pcs New Purchase Order.exe	37
PID 2692 wrote to memory of 1744	2692	Telco 32pcs New Purchase Order.exe	37
PID 2692 wrote to memory of 1744	2692	Telco 32pcs New Purchase Order.exe	37
PID 2692 wrote to memory of 2776	2692	Telco 32pcs New Purchase Order.exe	38
PID 2692 wrote to memory of 2776	2692	Telco 32pcs New Purchase Order.exe	38
PID 2692 wrote to memory of 2776	2692	Telco 32pcs New Purchase Order.exe	38
PID 2692 wrote to memory of 2776	2692	Telco 32pcs New Purchase Order.exe	38
PID 2692 wrote to memory of 2724	2692	Telco 32pcs New Purchase Order.exe	39
PID 2692 wrote to memory of 2724	2692	Telco 32pcs New Purchase Order.exe	39
PID 2692 wrote to memory of 2724	2692	Telco 32pcs New Purchase Order.exe	39
PID 2692 wrote to memory of 2724	2692	Telco 32pcs New Purchase Order.exe	39
PID 2692 wrote to memory of 2872	2692	Telco 32pcs New Purchase Order.exe	40
PID 2692 wrote to memory of 2872	2692	Telco 32pcs New Purchase Order.exe	40
PID 2692 wrote to memory of 2872	2692	Telco 32pcs New Purchase Order.exe	40
PID 2692 wrote to memory of 2872	2692	Telco 32pcs New Purchase Order.exe	40
PID 2692 wrote to memory of 2612	2692	Telco 32pcs New Purchase Order.exe	41
PID 2692 wrote to memory of 2612	2692	Telco 32pcs New Purchase Order.exe	41
PID 2692 wrote to memory of 2612	2692	Telco 32pcs New Purchase Order.exe	41
PID 2692 wrote to memory of 2612	2692	Telco 32pcs New Purchase Order.exe	41

C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zBzzGAdzqF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Telco 32pcs New Purchase Order.exe"
  2⤵
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp

Filesize
1KB

MD5
cf4baad602794df37eb6b5942ecc5bf8

SHA1
b90b86bda79dabd623a1a4fecb5c74d30bf0ec06

SHA256
2402d23a4ca7309eda5c165c59aa759cad743d6563fb989c87f1ea2719df2d7f

SHA512
5f8a57f8cda9a3b977c4b7073f6d57988284a9c8ec3a5df69583dc90248a1cb022184cb6e394a1e936e15885a635af6240484c0f2ab7c1d695103e193e041b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b3179e3a62302b1b8b8ce5e1557bfbc0

SHA1
52c538825a07b90c7127d557a1d0cde885661c60

SHA256
da8260b6e622a35922ae6b8bac4cd8b9b9534847dec7172778306f676fcb438c

SHA512
15d1c44bfeec3ae22ad00f7cf12d501409f66cb90d7d8e543102fa21ff10ee72a0b6cc87bb0126bd0da02e831c0d508eb29f7e66305bcfaa1be062807332737b

Download Submit
memory/2692-0-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x0000000000320000-0x0000000000414000-memory.dmp

Filesize
976KB

Download
memory/2692-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-3-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2692-4-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2692-5-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-6-0x0000000004D30000-0x0000000004DB4000-memory.dmp

Filesize
528KB

Download
memory/2692-19-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download