Overview

overview

10

Static

static

5

59acf29870...18.exe

windows7-x64

10

59acf29870...18.exe

windows10-2004-x64

10

Adobe-GenP-2.7.exe

windows7-x64

3

Adobe-GenP-2.7.exe

windows10-2004-x64

3

ETC1final.exe

windows7-x64

8

ETC1final.exe

windows10-2004-x64

8

XMRfinal.exe

windows7-x64

8

XMRfinal.exe

windows10-2004-x64

10

update.exe

windows7-x64

10

update.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ETC1final.exe

  • Size

    31KB

  • MD5

    e6eef993d7cdd5b5d3ba14c22ba7347b

  • SHA1

    921bcf0d4bf3fd3cebd706a6e9dfe3901e32caea

  • SHA256

    c84043ea0e8a98b478bbe03bfc16f0d64de4eb3e99ea5f7717b5d37843fe247e

  • SHA512

    f832a156d8bfb45a81806563265bc78712a3cdfe7217efdd7515d5a01b846416f362a41ea97037e02461ce971ce9548e4265a84baa480af05d36223e994272bf

  • SSDEEP

    384:mlkzbsJHRdKputWQjjNut9r/npRqUC3x1nSpPdk1AOPBmMai6iFQwCADa2JE6sO/:2kzbs1cEcnTr8nSEKOPBbaQFRlEs/3

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ETC1final.exe
    "C:\Users\Admin\AppData\Local\Temp\ETC1final.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\system32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\ETC1final.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\ETC1final.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1560
        • C:\Windows\system32\services32.exe
          "C:\Windows\system32\services32.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1932
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1516
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1232
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2164
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:112
            • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
              C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:696
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:356
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2932
              • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                7⤵
                • Executes dropped EXE
                PID:788
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                7⤵
                  PID:2748
                  • C:\Windows\system32\choice.exe
                    choice /C Y /N /D Y /T 3
                    8⤵
                      PID:2788
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1832
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                5⤵
                  PID:2296

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          8a8174fbc6fc641453af137f7f8d0845

          SHA1

          512bce2ac780fdd634079db238e7bde6eb63bf19

          SHA256

          a9f814d6d5c98cb6a2aec0583291f11d7247175842abedbc21459284e70eadf4

          SHA512

          e56f5c7c8ff85fb815835e00fbc04e448bb4a741815269716477dc5b0e0ca5d40dd78389fe76f6ffa48622d4205f57c882ae5e940e848b4414c54a06b96abcd0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab7300.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar7313.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
          Filesize

          23KB

          MD5

          a62ea2ade261009540d77e9fe64151c3

          SHA1

          6e49139ba8715a6604cce412a70ae3aaab85da25

          SHA256

          e9310bece7f0b3a543f727e4eb893ed3bea6694287a00bdf56f90591e0eb4221

          SHA512

          b36baddd4314cd6553d59701ab7c622b69c19754182755f75060e431372f79fa17ef3f6a72369cd783cd835959ca1151eed754544bf2b1ded72913d6f9263732

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          70cc90510ac2ccb8318208fdfba08251

          SHA1

          e913c675bbdb0a360f8054878b6688d04c394c52

          SHA256

          69ec1bc345216e382d687f45b6aa2aef6676be4ac5a8e615d9489698fb865c28

          SHA512

          2ea2471954c4f0371d6009d5d726bfda37502b335c47427c158ac9a152fe05d3835c4489a72ea8bab840b64faddfd5b1096e3cdc387e1f8999143a1a6d24ea82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          0813587b0d23ad6ebe36fa784aca9c77

          SHA1

          b51f7fe5f932b96c921c4e518ccd784d47c97f74

          SHA256

          22d2278a65379434dd11e5620361c7ac75456ae886cc3bf37c4f4bcd79dd910c

          SHA512

          67dd35078bc558df78764ff0005898e47a4a1d1afb171eaf2647580d803abdd403a07bc4374d364be1ec1cc7324397e38566d65ff3e19c6bb831f44701726b59

          Download Submit

        • \Windows\System32\Microsoft\Telemetry\sihost32.exe
          Filesize

          8KB

          MD5

          5b89737512666e0c07e776cb507243b5

          SHA1

          07ac2821e0fd2a91740e8b82c0a99cf5aa029270

          SHA256

          4cd89e7f4e6df328938daddcb7f96ae91408dba48c57727e3c36b424a221be50

          SHA512

          e2496518de02f2a4b731a1f2938a45eefbf4e070af7b1d35c03d81b8fdecc710d62aca40be4d57b4f0b479ed8699eb03586518bb3cc1815820a35cb69f46ae95

          Download Submit

        • \Windows\System32\services32.exe
          Filesize

          31KB

          MD5

          e6eef993d7cdd5b5d3ba14c22ba7347b

          SHA1

          921bcf0d4bf3fd3cebd706a6e9dfe3901e32caea

          SHA256

          c84043ea0e8a98b478bbe03bfc16f0d64de4eb3e99ea5f7717b5d37843fe247e

          SHA512

          f832a156d8bfb45a81806563265bc78712a3cdfe7217efdd7515d5a01b846416f362a41ea97037e02461ce971ce9548e4265a84baa480af05d36223e994272bf

          Download Submit

        • memory/696-74-0x000000013FEC0000-0x000000013FECA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/788-81-0x000000013F8F0000-0x000000013F8F6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1948-48-0x0000000000970000-0x000000000097C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2340-11-0x000007FEF3750000-0x000007FEF40ED000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2340-7-0x0000000002990000-0x0000000002998000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2340-6-0x000000001B6A0000-0x000000001B982000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2340-15-0x000007FEF3750000-0x000007FEF40ED000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2340-13-0x00000000027FB000-0x0000000002862000-memory.dmp

          Filesize

          412KB

          Download

        • memory/2340-10-0x000007FEF3A0E000-0x000007FEF3A0F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2340-14-0x000007FEF3750000-0x000007FEF40ED000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2340-12-0x000007FEF3750000-0x000007FEF40ED000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2340-9-0x00000000027F0000-0x0000000002870000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2604-40-0x000000013F220000-0x000000013F22A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2632-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2632-22-0x0000000001D20000-0x0000000001D28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2816-34-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2816-8-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2816-0-0x000007FEF63F3000-0x000007FEF63F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-41-0x000007FEF63F0000-0x000007FEF6DDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2816-33-0x000007FEF63F3000-0x000007FEF63F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-1-0x0000000000F20000-0x0000000000F2C000-memory.dmp

          Filesize

          48KB

          Download