Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 08:17

General

  • Target

    5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe

  • Size

    5.8MB

  • MD5

    a309dd870ce8f6c413c53fb6ad7282f0

  • SHA1

    bf1ef29145ce21dfdc0aa328621805f0af806da5

  • SHA256

    5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71

  • SHA512

    4b61a9087ebefb65016d3a56dcba5018124ad4903d34ed9cb918c9340c89ffdcb4523c2ea97f48c5a4215df6ec2b23c02c5556cfa13d47d90d2cc33a2219f00b

  • SSDEEP

    98304:aWSdjmMgDQsEeaHMNKWJXFNvBpqjD3E3gQPN4jK2sR7EWKEXnHozQIMuyraeKFwd:CmM3lH32LvBpqnE3KI79nXHorIraekwd

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe
    "C:\Users\Admin\AppData\Local\Temp\5bf4ad02ab57cae2a6ba5a1de38a60b09b276da19f8e19b2f00a166eca193e71N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:22 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2768
    • C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
      "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp.cmd""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\timeout.exe
        timeout 6
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp.cmd

          Filesize

          217B

          MD5

          69e580f7404d8bc8a116206dc4edeb09

          SHA1

          f558bf7f68b483b94583a092c01ca21857a2a6fc

          SHA256

          b6a33dd064735e6629e0955040f441152ddd440a86956e5f168070d381fa9633

          SHA512

          205f0b4e7664d6a62b5c07223c1056288f7aadeb64fdc2ddc5b7184d1587626c8401522a2d7683a9db5ac83223bac194ae9b93394eea6876a48b0f07230c9d88

        • \Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

          Filesize

          6.4MB

          MD5

          22d3d12c545cc4b0cc90409dc0e789d7

          SHA1

          094b6b694f523bc661f80ae4a689e83eeebe395b

          SHA256

          3cb574e04345c4c0e5694747dfd9232fa3fc28e4d87f027a8943d69deab9d1a4

          SHA512

          038da6520f3f7b75c17c665d80f31c5700349194d11e7fa54e974c9a6e42c3e6a8b566750f5e9c3f97c500e0a025e458a97e25868ed13fa2398ede6438eb783f

        • memory/2232-0-0x000000007473E000-0x000000007473F000-memory.dmp

          Filesize

          4KB

        • memory/2232-1-0x0000000000A20000-0x0000000000A3C000-memory.dmp

          Filesize

          112KB

        • memory/2644-10-0x00000000010E0000-0x00000000010FC000-memory.dmp

          Filesize

          112KB