Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 21:46

General

  • Target

    2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe

  • Size

    5.2MB

  • MD5

    1ec58a38427967342f4b46c3831e4d40

  • SHA1

    ad7d51c9f3bac8aad7967702e95ea80c963d7cd4

  • SHA256

    2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8ef

  • SHA512

    2d4cbe9f3515f0769aa45263a9b4faacc97785f3955d00dfe4ec5eb79890c7eed06862fa0c4e23ef8394fe1a9462d1763a72bb8a03c4f3beaa4e65810ee3ac53

  • SSDEEP

    98304:wxhtYrUqNd6Px5RrtcZmZYZT/UHZxUSa1xJKyWYoM+0ycJOVWIVj0:wJEUqNd6Px5RRcsYZT/yv7yDPyeWrw

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe
    "C:\Users\Admin\AppData\Local\Temp\2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 21:51 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2192
    • C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
      "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E81.tmp.cmd""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\timeout.exe
        timeout 6
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2804

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp9E81.tmp.cmd

          Filesize

          217B

          MD5

          f38fc1b8ff53b9bfea8444b62ad09a5d

          SHA1

          df76a4ecf981ca735c131b04888bf254f819d02d

          SHA256

          dc4436bf6d1cadee8988796e3682897fcdd508557efbe03efc165f3e29b50e39

          SHA512

          9b7780cc095e1bbee9082ef7b8a1254c41e01c625f27d27e2d308730f4256e8be42641cabc3b70109ca324dbb95ffe734debb7a56b17b648345d46ad859f0399

        • \Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

          Filesize

          5.8MB

          MD5

          8cf2656192151ec750e11dccf13adf6a

          SHA1

          f5c8e2c55fe01832629961a5dc1d5fbdc987f079

          SHA256

          546ad464b44fbf3058ef5c60d3d1935bab3a19aab3e38a2ea1e7e489eadf1957

          SHA512

          ab60e70563fa17cdf162925f255709dbf459d9119dfde504c6e549b92d86d9f2a6ff63a09cdb437a6a7143c52cb29cf128db91f2fb69ab29da03b3ab138ebbe8

        • memory/1596-0-0x000000007490E000-0x000000007490F000-memory.dmp

          Filesize

          4KB

        • memory/1596-1-0x00000000009B0000-0x00000000009CC000-memory.dmp

          Filesize

          112KB

        • memory/1732-10-0x00000000011F0000-0x000000000120C000-memory.dmp

          Filesize

          112KB