Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 08:03

General

  • Target

    bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe

  • Size

    3.9MB

  • MD5

    5adb2a353e5d54d267e084de41f63310

  • SHA1

    59b62e1159bdc14a58eecff61d4045b634a51374

  • SHA256

    bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805c

  • SHA512

    453b5c61247a0d01d0bf3108532691a6534611460a4ca6483d73e2391b17d1491e342e0f6544b566de526cf6226de6838a133f9788bef3b034b66f89807e71a6

  • SSDEEP

    98304:wxhtYrUqNd6Px5RrtcZmZYZT/UHZxUSa1xJKA:wJEUqNd6Px5RRcsYZT/yv7A

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
    "C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
      "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\timeout.exe
        timeout 6
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:584

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd

          Filesize

          217B

          MD5

          355450f64b69493338cfc79cad554162

          SHA1

          197c627abcbadcd20133b437add62ffd88da47a4

          SHA256

          6ddfe8b43fea8bcbfdd513ea6a8d55fefbcbd970099f8d0961fe86fc53a82ee9

          SHA512

          78914ea39527f417a6f37394d9986e49179394c30b00055e3c5b2ee744f8cd20a9a47a69682ffecb3a7c5c147282da1edbcc8dd4374e8114b40c7341a0ce6283

        • \Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

          Filesize

          4.5MB

          MD5

          c485280211a901d16a69cc710b5eccb9

          SHA1

          e4681be1835ede1c0a5a21f4dbc730cc1f16db2b

          SHA256

          34710e86eef4ad9742ca7f6cfc5a000991be3c573bfa1a00074c012bf2e9f301

          SHA512

          de936feb2d14b97bf3061dc9ec4f0966af87bef10b2181df4460320331400a22b666c1230dfbe364e4a06994bae4a33c3e198b0bae58a34757fa5aae7b256d56

        • memory/1172-0-0x000000007463E000-0x000000007463F000-memory.dmp

          Filesize

          4KB

        • memory/1172-1-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

          Filesize

          112KB

        • memory/2120-10-0x0000000000B10000-0x0000000000B2C000-memory.dmp

          Filesize

          112KB