Overview

overview

8

Static

static

3

September ...ts.exe

windows7-x64

8

September ...ts.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    September payments.exe

  • Size

    777KB

  • MD5

    829ca0be6c5a9982fe1fd88f3db358d4

  • SHA1

    20fed866af8500ad5ee7d9e6f855ed1ab6a7f736

  • SHA256

    362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9

  • SHA512

    c6dd6e9ac321505fd3547b957a7a7763ae54e754234bb78145dc201571f77f26fb54c49e44a17a9944fb1054e30fb754fef2fcfc676ce5d4ca0f2bfd67c279fe

  • SSDEEP

    24576:IMR0YU8TjxvmnrZomcsCjidhfhn9px857:e+vwrZor3uE7

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\September payments.exe
    "C:\Users\Admin\AppData\Local\Temp\September payments.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\September payments.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZCXobyaJg.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCXobyaJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF306.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2884
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2648
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:1940
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:2624
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:2632
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:2640

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpF306.tmp
              Filesize

              1KB

              MD5

              f05c617c93ff81023d99972f107c863b

              SHA1

              825d038bac325c4275da0bea9ac8c05e4806c106

              SHA256

              d0726a02e5f5c313f40acb452b6be2c7afbf33c82adfc49db30d9708551d6b16

              SHA512

              bbac151ef58af57bf5731e075ddfd862e1c66e538f8a4baa01c1a026fbb668ed3771b63ba815164e464e1550fa6e0456017eba8c427c00c0710ca95595043b45

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONOH5BZT56CEQOTPNEAM.temp
              Filesize

              7KB

              MD5

              0abb9f8ac75100119a4b7fbbe80d45b6

              SHA1

              bfa99840aba3fbe0a8d75f148d20b059295e3def

              SHA256

              f7eba06ebeda46d88c5e1362eed44c65acfbaaa6cc0fc8fac3d6581aa17aab57

              SHA512

              97d1259388160364e6f4aa4bb225e8235fd7ccc383fae75d53e550af2379ab2460f9e6db5c7b6fa1af3eb8262d47e64daa409b571aa30a7ca915a42d1a42559c

              Download Submit

            • memory/2148-0-0x000000007463E000-0x000000007463F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2148-1-0x00000000001A0000-0x0000000000268000-memory.dmp

              Filesize

              800KB

              Download

            • memory/2148-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2148-3-0x0000000000310000-0x000000000032E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2148-4-0x000000007463E000-0x000000007463F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2148-5-0x0000000074630000-0x0000000074D1E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2148-6-0x0000000000430000-0x00000000004BE000-memory.dmp

              Filesize

              568KB

              Download

            • memory/2148-19-0x0000000074630000-0x0000000074D1E000-memory.dmp

              Filesize

              6.9MB

              Download