932c8687387b5fa94ef7b5c11358b0d0dc90ea488729382e09ec126d61457d6d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d818c67cd7b934a84588a3207b2e50a.exe
Size

879KB
MD5

1d818c67cd7b934a84588a3207b2e50a
SHA1

f143719dafea314eb6ae638e9a7694da54c3a445
SHA256

932c8687387b5fa94ef7b5c11358b0d0dc90ea488729382e09ec126d61457d6d
SHA512

41e68271ed5c52427c1e9953bc3ac9c0562541a186a6a44712602dd88968fdd2d896f3c56dccc39dac512c9885e0eb9c194d26f148ce484418b001d1bf60401e
SSDEEP

24576:Ovd+fC6BjsHpE+dOj+18tyAgajKCzMlTyFjSIi0/:O1+a6NsHp3MlhOGM1mO0/

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2108	powershell.exe
2580	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d818c67cd7b934a84588a3207b2e50a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2692	1d818c67cd7b934a84588a3207b2e50a.exe
2108	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	1d818c67cd7b934a84588a3207b2e50a.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2580	2692	1d818c67cd7b934a84588a3207b2e50a.exe	31
PID 2692 wrote to memory of 2580	2692	1d818c67cd7b934a84588a3207b2e50a.exe	31
PID 2692 wrote to memory of 2580	2692	1d818c67cd7b934a84588a3207b2e50a.exe	31
PID 2692 wrote to memory of 2580	2692	1d818c67cd7b934a84588a3207b2e50a.exe	31
PID 2692 wrote to memory of 2108	2692	1d818c67cd7b934a84588a3207b2e50a.exe	33
PID 2692 wrote to memory of 2108	2692	1d818c67cd7b934a84588a3207b2e50a.exe	33
PID 2692 wrote to memory of 2108	2692	1d818c67cd7b934a84588a3207b2e50a.exe	33
PID 2692 wrote to memory of 2108	2692	1d818c67cd7b934a84588a3207b2e50a.exe	33
PID 2692 wrote to memory of 2708	2692	1d818c67cd7b934a84588a3207b2e50a.exe	34
PID 2692 wrote to memory of 2708	2692	1d818c67cd7b934a84588a3207b2e50a.exe	34
PID 2692 wrote to memory of 2708	2692	1d818c67cd7b934a84588a3207b2e50a.exe	34
PID 2692 wrote to memory of 2708	2692	1d818c67cd7b934a84588a3207b2e50a.exe	34
PID 2692 wrote to memory of 1612	2692	1d818c67cd7b934a84588a3207b2e50a.exe	37
PID 2692 wrote to memory of 1612	2692	1d818c67cd7b934a84588a3207b2e50a.exe	37
PID 2692 wrote to memory of 1612	2692	1d818c67cd7b934a84588a3207b2e50a.exe	37
PID 2692 wrote to memory of 1612	2692	1d818c67cd7b934a84588a3207b2e50a.exe	37
PID 2692 wrote to memory of 2604	2692	1d818c67cd7b934a84588a3207b2e50a.exe	38
PID 2692 wrote to memory of 2604	2692	1d818c67cd7b934a84588a3207b2e50a.exe	38
PID 2692 wrote to memory of 2604	2692	1d818c67cd7b934a84588a3207b2e50a.exe	38
PID 2692 wrote to memory of 2604	2692	1d818c67cd7b934a84588a3207b2e50a.exe	38
PID 2692 wrote to memory of 2904	2692	1d818c67cd7b934a84588a3207b2e50a.exe	39
PID 2692 wrote to memory of 2904	2692	1d818c67cd7b934a84588a3207b2e50a.exe	39
PID 2692 wrote to memory of 2904	2692	1d818c67cd7b934a84588a3207b2e50a.exe	39
PID 2692 wrote to memory of 2904	2692	1d818c67cd7b934a84588a3207b2e50a.exe	39
PID 2692 wrote to memory of 1124	2692	1d818c67cd7b934a84588a3207b2e50a.exe	40
PID 2692 wrote to memory of 1124	2692	1d818c67cd7b934a84588a3207b2e50a.exe	40
PID 2692 wrote to memory of 1124	2692	1d818c67cd7b934a84588a3207b2e50a.exe	40
PID 2692 wrote to memory of 1124	2692	1d818c67cd7b934a84588a3207b2e50a.exe	40
PID 2692 wrote to memory of 648	2692	1d818c67cd7b934a84588a3207b2e50a.exe	41
PID 2692 wrote to memory of 648	2692	1d818c67cd7b934a84588a3207b2e50a.exe	41
PID 2692 wrote to memory of 648	2692	1d818c67cd7b934a84588a3207b2e50a.exe	41
PID 2692 wrote to memory of 648	2692	1d818c67cd7b934a84588a3207b2e50a.exe	41

C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe
"C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wTTruYPumnUe.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTTruYPumnUe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C66.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C66.tmp

Filesize
1KB

MD5
236cf6ca1adfe65e42cfe052b9cf5c2e

SHA1
3c2bf4bfc2d1de00cf97bb4488649ead1131b862

SHA256
9c1be9e473591baa4139a1f0b0b62349a80c570b948318c88ac28b5ea6078f8d

SHA512
d9842b0b187ed4cc48a5e35dc7cc96e8961ce8afd5771fcebb7e71bc3e4d29acef1784d739376f6ebbcc49153afb33d3302ac1770b17e9c882da2e7974d06f70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDEY4ZVL34S7M21G4V57.temp

Filesize
7KB

MD5
593c43952fa473f2ba899e8edf53494f

SHA1
3c762d96b791f4a62819426e0004f63459f47f37

SHA256
86ea96a16a896cc00e3569757afde142d594b2794c305be3e69136c6c8727b7c

SHA512
818d7e86b60ffd06ba31b220b301cd10eb47e268bd233e1d840f64ab93b36f463f9ca693a1ba1848c261c4bc1b0740229af258116c5abcc386916e1a8483ac47

Download Submit
memory/2692-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x00000000011D0000-0x00000000012B2000-memory.dmp

Filesize
904KB

Download
memory/2692-2-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-3-0x0000000005490000-0x000000000556A000-memory.dmp

Filesize
872KB

Download
memory/2692-4-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2692-5-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-7-0x0000000005960000-0x0000000005A20000-memory.dmp

Filesize
768KB

Download
memory/2692-20-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download