9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e

Analysis

max time kernel
43s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5678909764.scr.exe
Size

723KB
MD5

df30947662e982996810396f8998687c
SHA1

ab1cca67c1d71f95e516a21995d2965761bc6829
SHA256

9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
SHA512

41e148f5bd8fe19754f6c676323a1b022c0e79d3be5c5de8b3fc030e2dedb46877e5ff792da2965fc8cfc701724ea914a61a80d43590e77421820d22bb484b9a
SSDEEP

12288:ZFw5wFD3n6UwXUTCBvvFfg6DUT0/PSnyUt9H+nruF39h9sAFJEyvQXDkR:ZF4K9wXKIvFfZRGyI9enr6H93bnQXW

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
2688	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5678909764.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
2220	5678909764.scr.exe
1932	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	5678909764.scr.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1932	2220	5678909764.scr.exe	30
PID 2220 wrote to memory of 1932	2220	5678909764.scr.exe	30
PID 2220 wrote to memory of 1932	2220	5678909764.scr.exe	30
PID 2220 wrote to memory of 1932	2220	5678909764.scr.exe	30
PID 2220 wrote to memory of 2688	2220	5678909764.scr.exe	32
PID 2220 wrote to memory of 2688	2220	5678909764.scr.exe	32
PID 2220 wrote to memory of 2688	2220	5678909764.scr.exe	32
PID 2220 wrote to memory of 2688	2220	5678909764.scr.exe	32
PID 2220 wrote to memory of 2956	2220	5678909764.scr.exe	33
PID 2220 wrote to memory of 2956	2220	5678909764.scr.exe	33
PID 2220 wrote to memory of 2956	2220	5678909764.scr.exe	33
PID 2220 wrote to memory of 2956	2220	5678909764.scr.exe	33
PID 2220 wrote to memory of 2032	2220	5678909764.scr.exe	36
PID 2220 wrote to memory of 2032	2220	5678909764.scr.exe	36
PID 2220 wrote to memory of 2032	2220	5678909764.scr.exe	36
PID 2220 wrote to memory of 2032	2220	5678909764.scr.exe	36
PID 2220 wrote to memory of 2188	2220	5678909764.scr.exe	37
PID 2220 wrote to memory of 2188	2220	5678909764.scr.exe	37
PID 2220 wrote to memory of 2188	2220	5678909764.scr.exe	37
PID 2220 wrote to memory of 2188	2220	5678909764.scr.exe	37
PID 2220 wrote to memory of 600	2220	5678909764.scr.exe	38
PID 2220 wrote to memory of 600	2220	5678909764.scr.exe	38
PID 2220 wrote to memory of 600	2220	5678909764.scr.exe	38
PID 2220 wrote to memory of 600	2220	5678909764.scr.exe	38
PID 2220 wrote to memory of 1480	2220	5678909764.scr.exe	39
PID 2220 wrote to memory of 1480	2220	5678909764.scr.exe	39
PID 2220 wrote to memory of 1480	2220	5678909764.scr.exe	39
PID 2220 wrote to memory of 1480	2220	5678909764.scr.exe	39
PID 2220 wrote to memory of 2012	2220	5678909764.scr.exe	40
PID 2220 wrote to memory of 2012	2220	5678909764.scr.exe	40
PID 2220 wrote to memory of 2012	2220	5678909764.scr.exe	40
PID 2220 wrote to memory of 2012	2220	5678909764.scr.exe	40

C:\Users\Admin\AppData\Local\Temp\5678909764.scr.exe
"C:\Users\Admin\AppData\Local\Temp\5678909764.scr.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5678909764.scr.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OsYPcQX.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsYPcQX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48B4.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp48B4.tmp

Filesize
1KB

MD5
bcecefea844021efe3edc4c9dec86262

SHA1
a101b13490e047b66e786b7035dc463241d03a09

SHA256
f9e32cc03f8ea271f0c280958e68dd0bd8c01f4cd2d25b6353da369ed2611a48

SHA512
3456336d67175c29df976aba16f970916c9961adfb902e34a8d90728ce9a088a8890bbdee9a26809ef52d322c0adedbc43dc506cd64b5a27cc198c1fd4d8de6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4255556c871da58ab5dbb9d66f32bc38

SHA1
eb31490957dd699bf1b058f2ccede3627735d7c0

SHA256
a087b8dd607750e733ef28348f9e6e13e597acc1756fee309ff990d6b6d1f6a5

SHA512
a946a9961d3e5b62b64bb81bd2327ccd0f7ec6f94bebfae04b6f760c5163e1c1354fb618c494299841d545c158313b49be9071086c4aaa7e953281e1c01a446e

Download Submit
memory/2220-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000001040000-0x00000000010F8000-memory.dmp

Filesize
736KB

Download
memory/2220-2-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-3-0x0000000000630000-0x000000000064E000-memory.dmp

Filesize
120KB

Download
memory/2220-4-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/2220-5-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-6-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2220-19-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download