Analysis
-
max time kernel
90s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe
Resource
win7-20240729-en
General
-
Target
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe
-
Size
2.8MB
-
MD5
ffbf297cf07adacc64c1072b7fc45ad3
-
SHA1
5e6fd2a7b3eb6128d2c6ca0caa8ec5e2f39e4cc3
-
SHA256
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c
-
SHA512
f4fe1b6bbe7557eb276896301fd0516bfc24cfc4284d1487691ef531e466a8ec272a83627ff8f774dbe3657ff0dfd69a0842982fa0868757a48c290c25aab9a9
-
SSDEEP
49152:q2nABX4VY5eEUIag7UK5bfl9GJuFxBGDw9CJpMQ9pOgQ6NIpdcD4HV:q2ABXcY5eEU8HbvGJu4DwmzOgQZpdcDO
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 3000 cmd.exe -
Drops startup file 1 IoCs
Processes:
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe -
Executes dropped EXE 1 IoCs
Processes:
apihost.exepid Process 2768 apihost.exe -
Loads dropped DLL 1 IoCs
Processes:
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exepid Process 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
apihost.execmd.exetimeout.exe62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exepowershell.exeschtasks.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 1132 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
apihost.exepid Process 2768 apihost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exepowershell.exeapihost.exedescription pid Process Token: SeDebugPrivilege 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2768 apihost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.execmd.exedescription pid Process procid_target PID 2464 wrote to memory of 2172 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 30 PID 2464 wrote to memory of 2172 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 30 PID 2464 wrote to memory of 2172 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 30 PID 2464 wrote to memory of 2172 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 30 PID 2464 wrote to memory of 2356 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 31 PID 2464 wrote to memory of 2356 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 31 PID 2464 wrote to memory of 2356 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 31 PID 2464 wrote to memory of 2356 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 31 PID 2464 wrote to memory of 2768 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 34 PID 2464 wrote to memory of 2768 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 34 PID 2464 wrote to memory of 2768 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 34 PID 2464 wrote to memory of 2768 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 34 PID 2464 wrote to memory of 3000 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 35 PID 2464 wrote to memory of 3000 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 35 PID 2464 wrote to memory of 3000 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 35 PID 2464 wrote to memory of 3000 2464 62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe 35 PID 3000 wrote to memory of 1132 3000 cmd.exe 37 PID 3000 wrote to memory of 1132 3000 cmd.exe 37 PID 3000 wrote to memory of 1132 3000 cmd.exe 37 PID 3000 wrote to memory of 1132 3000 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe"C:\Users\Admin\AppData\Local\Temp\62bf1c22cfff5676af918e964e59f5a49c9afc77bc166ac106087458e0bd932c.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 10:13 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2356
-
-
C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8343.tmp.cmd""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1132
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD57fd35d05957e51403baeb7b098cb602c
SHA1a8220e6211354f4fa805b5882023db708345019c
SHA2569c5e51df4d19fc3073ea331d6d4caf409d4111468c270e4203ef0c4fdebba17d
SHA5122679d4efc6ef1f8f96f322daf92b14f45326c8e88dba55fd73b957fdeeb8318821149a4f7328c4c650bfeefa392dc41c2e7f9154fb667f3d8f30fbcfa75d4f80
-
Filesize
2.9MB
MD5cf7849c4fe970b7d61cde5af01e67e4c
SHA1cb86cdf88fd0717146e55259b117bab776709fd1
SHA2568278df451373403db96a04c0147953a219a9770cd959c8ff2f8ce3e238aaba74
SHA512effd5f14f95d3652880cb43dd0092926e4082e0432b0f1b4ba288d797423d8d6024d144b6ab2dce12c9ba684f4649803a8032bce26a7d432720aa82d3600e28c