Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe
Resource
win7-20241010-en
General
-
Target
2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe
-
Size
5.2MB
-
MD5
1ec58a38427967342f4b46c3831e4d40
-
SHA1
ad7d51c9f3bac8aad7967702e95ea80c963d7cd4
-
SHA256
2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8ef
-
SHA512
2d4cbe9f3515f0769aa45263a9b4faacc97785f3955d00dfe4ec5eb79890c7eed06862fa0c4e23ef8394fe1a9462d1763a72bb8a03c4f3beaa4e65810ee3ac53
-
SSDEEP
98304:wxhtYrUqNd6Px5RrtcZmZYZT/UHZxUSa1xJKyWYoM+0ycJOVWIVj0:wJEUqNd6Px5RRcsYZT/yv7yDPyeWrw
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2184 powershell.exe -
Deletes itself 1 IoCs
pid Process 1976 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe -
Executes dropped EXE 1 IoCs
pid Process 1732 SeedPhrase Converter.exe -
Loads dropped DLL 1 IoCs
pid Process 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SeedPhrase Converter.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2804 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1732 SeedPhrase Converter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1732 SeedPhrase Converter.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2184 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 28 PID 1596 wrote to memory of 2184 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 28 PID 1596 wrote to memory of 2184 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 28 PID 1596 wrote to memory of 2184 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 28 PID 1596 wrote to memory of 2192 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 29 PID 1596 wrote to memory of 2192 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 29 PID 1596 wrote to memory of 2192 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 29 PID 1596 wrote to memory of 2192 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 29 PID 1596 wrote to memory of 1732 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 32 PID 1596 wrote to memory of 1732 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 32 PID 1596 wrote to memory of 1732 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 32 PID 1596 wrote to memory of 1732 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 32 PID 1596 wrote to memory of 1976 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 33 PID 1596 wrote to memory of 1976 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 33 PID 1596 wrote to memory of 1976 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 33 PID 1596 wrote to memory of 1976 1596 2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe 33 PID 1976 wrote to memory of 2804 1976 cmd.exe 35 PID 1976 wrote to memory of 2804 1976 cmd.exe 35 PID 1976 wrote to memory of 2804 1976 cmd.exe 35 PID 1976 wrote to memory of 2804 1976 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe"C:\Users\Admin\AppData\Local\Temp\2459850e688ccd548b5e7274f8ce714fa596a0ca7464ddc7592199d134d0d8efN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 21:51 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E81.tmp.cmd""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD5f38fc1b8ff53b9bfea8444b62ad09a5d
SHA1df76a4ecf981ca735c131b04888bf254f819d02d
SHA256dc4436bf6d1cadee8988796e3682897fcdd508557efbe03efc165f3e29b50e39
SHA5129b7780cc095e1bbee9082ef7b8a1254c41e01c625f27d27e2d308730f4256e8be42641cabc3b70109ca324dbb95ffe734debb7a56b17b648345d46ad859f0399
-
Filesize
5.8MB
MD58cf2656192151ec750e11dccf13adf6a
SHA1f5c8e2c55fe01832629961a5dc1d5fbdc987f079
SHA256546ad464b44fbf3058ef5c60d3d1935bab3a19aab3e38a2ea1e7e489eadf1957
SHA512ab60e70563fa17cdf162925f255709dbf459d9119dfde504c6e549b92d86d9f2a6ff63a09cdb437a6a7143c52cb29cf128db91f2fb69ab29da03b3ab138ebbe8