Overview

overview

10

Static

static

3

ad74981909...a4.exe

windows7-x64

10

ad74981909...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 01:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4.exe

  • Size

    1.9MB

  • MD5

    0feb901e23751d111fc025ab2be3c2f5

  • SHA1

    38f8d59ab5dfb96e4070bd9ec269d2904c6a3a76

  • SHA256

    ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4

  • SHA512

    34fc5fdf243d0fff3287110bc8d109db83ccb88e7189e87ee8d27784826cf5267b22b45fec035f25677e75b41d7993a6e5b2884cff0e0abf8073150c20e081ec

  • SSDEEP

    24576:2TbBv5rUyXVPr3aJEs7H+rhar+lA7ukc7t6vysCpz4FcJFrkQwuQjkmJQep9si:IBJPcziJG7WBnpz4FcJFAQ7Qjkmpt

Score
10/10
discoveryexecution

Malware Config

Signatures

  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4.exe
    "C:\Users\Admin\AppData\Local\Temp\ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Comreview\Qw0tHfZvOOTSlGqzwIZkbCqou.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Comreview\xzc6xIPiK2QcF9omfs2cgzMNBzTbcN2A.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Comreview\comagentIntoHost.exe
          "C:\Comreview/comagentIntoHost.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Comreview\comagentIntoHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mKVSFnfWSn.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:552
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2212
              • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe
                "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Skins\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Skins\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "comagentIntoHostc" /sc MINUTE /mo 5 /tr "'C:\Comreview\comagentIntoHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "comagentIntoHost" /sc ONLOGON /tr "'C:\Comreview\comagentIntoHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "comagentIntoHostc" /sc MINUTE /mo 5 /tr "'C:\Comreview\comagentIntoHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Comreview\Qw0tHfZvOOTSlGqzwIZkbCqou.vbe
      Filesize

      219B

      MD5

      ac093ca116acc51ba40b2b3081f2e2d1

      SHA1

      475fe450bb2488cea9ac65ad2473590f80f2a74a

      SHA256

      75f4cac8fd0f9f5f0e9123f2b487677829869f8ea3fb85b7fbf7c200ecbfa09b

      SHA512

      fd6c6d57a32a6a3f548478f2e75ebc29d90f3a14c6334ad9a7220b575f3bb2463453291d85bd27cce2327ea497908073d223286eec2dccc17e462de85c34218b

      Download Submit

    • C:\Comreview\xzc6xIPiK2QcF9omfs2cgzMNBzTbcN2A.bat
      Filesize

      75B

      MD5

      0fa861c32e296c754cde4279c23f50f3

      SHA1

      24e6bbb293e6c5a0c76380822c16f8dc842aea14

      SHA256

      203b4c404243dae8afa1770d93ba78de73ed932b6843607e2981eecc77cb1839

      SHA512

      a9a3893262648bbbead1137fa05d884dabd8adca6406db5c12d24e741cac8eecfa2e356f5ea7194b7281a39bd5c17e4204aa57d97dd62df89d0d8750745b1569

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mKVSFnfWSn.bat
      Filesize

      188B

      MD5

      a37a2c4952a1fe94eb2f8ea303cc9d84

      SHA1

      f74bb14a3930371581c7008d3e2646ee5ded21b8

      SHA256

      f0f35daeeefd7130fa9b4da31213a1bde652764184d5d46f9d39a0e2e535c77b

      SHA512

      197ed1ef39e7aedf9bbdbff7d5c95bfeb3697a1cc1643c14b029ed525c6480b2f100cf3f6aba4f509b3e20d84b3e2ac5dc51d180c2892f428057da798cc75c4a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e5d419a70ac5af759ceb72acacac0c08

      SHA1

      44d5fe169a0e0c98bba9ce1dac2ca4fcc02f457a

      SHA256

      dbb9cfa70d7876e5171528987421183326ef77c8214740e241e9fe891edfd644

      SHA512

      44cc0655bb15f845469fa89818346bdd167166adfc3e06c5ea365b29ed3befaa2c913f863662df826ddc0e5ad377a46cd100c3d3af35a6e9fcaad11e549675cb

      Download Submit

    • \Comreview\comagentIntoHost.exe
      Filesize

      1.6MB

      MD5

      0546ed90d4fbdd0ff7b740416c43fa6c

      SHA1

      458e078a8a89719ba4878940ee02cc910db6aaed

      SHA256

      abf5bf66710499fd2dcd8a2988fb3d1732884f94b258b1194bf408d27ba64478

      SHA512

      868f4a81f0a3a0440b17bcf88014232b0346bb154d3104eb71313b93d411b60f6539e0f64df2c05d2e499551f6afc7109fea9c0aaec15414a35a29c6f99cf829

      Download Submit

    • memory/900-43-0x000000001B760000-0x000000001BA42000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1608-67-0x00000000002F0000-0x000000000049A000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1700-13-0x0000000000010000-0x00000000001BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1700-15-0x0000000000540000-0x000000000054E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1700-17-0x0000000000550000-0x000000000055C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2996-53-0x0000000001F80000-0x0000000001F88000-memory.dmp

      Filesize

      32KB

      Download