Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
Resource
win7-20240903-en
General
-
Target
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
-
Size
5.8MB
-
MD5
a309dd870ce8f6c413c53fb6ad7282f0
-
SHA1
bf1ef29145ce21dfdc0aa328621805f0af806da5
-
SHA256
5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71
-
SHA512
4b61a9087ebefb65016d3a56dcba5018124ad4903d34ed9cb918c9340c89ffdcb4523c2ea97f48c5a4215df6ec2b23c02c5556cfa13d47d90d2cc33a2219f00b
-
SSDEEP
98304:aWSdjmMgDQsEeaHMNKWJXFNvBpqjD3E3gQPN4jK2sR7EWKEXnHozQIMuyraeKFwd:CmM3lH32LvBpqnE3KI79nXHorIraekwd
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2076 powershell.exe -
Deletes itself 1 IoCs
pid Process 2104 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe -
Executes dropped EXE 1 IoCs
pid Process 2644 SeedPhrase Converter.exe -
Loads dropped DLL 1 IoCs
pid Process 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SeedPhrase Converter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2520 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2644 SeedPhrase Converter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2644 SeedPhrase Converter.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2076 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 28 PID 2232 wrote to memory of 2076 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 28 PID 2232 wrote to memory of 2076 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 28 PID 2232 wrote to memory of 2076 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 28 PID 2232 wrote to memory of 2768 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 30 PID 2232 wrote to memory of 2768 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 30 PID 2232 wrote to memory of 2768 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 30 PID 2232 wrote to memory of 2768 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 30 PID 2232 wrote to memory of 2644 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 32 PID 2232 wrote to memory of 2644 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 32 PID 2232 wrote to memory of 2644 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 32 PID 2232 wrote to memory of 2644 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 32 PID 2232 wrote to memory of 2104 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 33 PID 2232 wrote to memory of 2104 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 33 PID 2232 wrote to memory of 2104 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 33 PID 2232 wrote to memory of 2104 2232 5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe 33 PID 2104 wrote to memory of 2520 2104 cmd.exe 35 PID 2104 wrote to memory of 2520 2104 cmd.exe 35 PID 2104 wrote to memory of 2520 2104 cmd.exe 35 PID 2104 wrote to memory of 2520 2104 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:22 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp.cmd""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD569e580f7404d8bc8a116206dc4edeb09
SHA1f558bf7f68b483b94583a092c01ca21857a2a6fc
SHA256b6a33dd064735e6629e0955040f441152ddd440a86956e5f168070d381fa9633
SHA512205f0b4e7664d6a62b5c07223c1056288f7aadeb64fdc2ddc5b7184d1587626c8401522a2d7683a9db5ac83223bac194ae9b93394eea6876a48b0f07230c9d88
-
Filesize
6.4MB
MD522d3d12c545cc4b0cc90409dc0e789d7
SHA1094b6b694f523bc661f80ae4a689e83eeebe395b
SHA2563cb574e04345c4c0e5694747dfd9232fa3fc28e4d87f027a8943d69deab9d1a4
SHA512038da6520f3f7b75c17c665d80f31c5700349194d11e7fa54e974c9a6e42c3e6a8b566750f5e9c3f97c500e0a025e458a97e25868ed13fa2398ede6438eb783f