Analysis

  • max time kernel
    64s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 09:38

General

  • Target

    2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe

  • Size

    9.6MB

  • MD5

    8168594bee79378e25b371736d38c0ae

  • SHA1

    959da3e13bdd1138ad2a86b724bd1280f405d873

  • SHA256

    2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c

  • SHA512

    f03ac700f20582f5ad5f16be396e81a21a8864c77333c53784aeab376073ccd5ba8f4a8c1482d817e2ca73b983dfb2cff4b4cf449081dbdcb5cda2305e75b08b

  • SSDEEP

    196608:wJEUqNdLdxriGIQPWbHklWs1lUYiqz+OxAvQ0qRt95CnqjkfiHGZOcVIS9fQf:eEUqNdLdxrHIQPWIlMqz+OxAvWRt95Cg

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe
    "C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 09:43 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1984
    • C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
      "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC6F7.tmp.cmd""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\timeout.exe
        timeout 6
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC6F7.tmp.cmd

    Filesize

    216B

    MD5

    df16595c2d8b7a205518b629fe912980

    SHA1

    d8de8d473a8a9ccbf93a87bbd3aaf1e08ec132de

    SHA256

    b45b62d188b00c862d536b5de319cfc3cdf91c53d1e34ae6f96d8b6b80fb96db

    SHA512

    dd5dbff7ac7299f538d41e54af45cb2ae4c17feb9162ff9fab243b836f39338990ed3db0ca082251c0d9a7c9b5269785f0534d709d2f8a076b91560601f8b4ea

  • \Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

    Filesize

    10.2MB

    MD5

    bbeed0d9c6692d2a8d3cbf10cb77e41f

    SHA1

    414ba4dc776491e96973e5838d20e8dabb55a82c

    SHA256

    6fca7d1e3548674cb6a62fcdee6999f2d1a96400aa8225a3290e8e4feff89a2b

    SHA512

    18bb8882a8dcfeb00b3b54a0d4244f579d3ceb69acbcbfea5e1d5ac369df81e572abfc90626596f0aa56d98eb47e900784fae1fda1e0a36c544f845592d13f68

  • memory/1980-0-0x000000007411E000-0x000000007411F000-memory.dmp

    Filesize

    4KB

  • memory/1980-1-0x0000000001160000-0x000000000117C000-memory.dmp

    Filesize

    112KB

  • memory/2876-17-0x00000000003E0000-0x00000000003FC000-memory.dmp

    Filesize

    112KB