2bb2c59d97f7aa971f1fcd7518fcf4331550029765b0943f84d32d5eec603760

General

Target

2/7loader.exe
Size

21KB
MD5

489d2bb73c3c5b44e0f315b2ce9381b3
SHA1

4b08586aee68bee50c1f5aaadf1afafe30743b48
SHA256

849ae339eb4480f2f3187b50c1413e187bed698b2a196e515eb219244e2e8dd8
SHA512

1eec009178f92f3d4cd6813aa17a6a55c1ddb174811cca662f709e45a23ccc5ce847238f442aa1bca7edc2e4c9865fb0f32781df5d7d7f8ca9c78190c025fdec
SSDEEP

384:V0KxGphJ6zC2eEF/dHoCkX73hDsSfkksLxG5wrNv+a2VSDSaVrr:+6zCY/+X7kpG5wrNGa2VSDSal

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2760	powershell.exe
2832	powershell.exe
2636	powershell.exe
2644	powershell.exe
1708	powershell.exe
1908	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7loader.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1908	powershell.exe
2760	powershell.exe
2832	powershell.exe
2636	powershell.exe
2644	powershell.exe
1708	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7loader.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1640	7loader.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7loader.exepowershell.exepowershell.exepowershell.exe

description	pid	Process	procid_target
PID 1640 wrote to memory of 1908	1640	7loader.exe	31
PID 1640 wrote to memory of 1908	1640	7loader.exe	31
PID 1640 wrote to memory of 1908	1640	7loader.exe	31
PID 1640 wrote to memory of 1908	1640	7loader.exe	31
PID 1908 wrote to memory of 2760	1908	powershell.exe	33
PID 1908 wrote to memory of 2760	1908	powershell.exe	33
PID 1908 wrote to memory of 2760	1908	powershell.exe	33
PID 1908 wrote to memory of 2760	1908	powershell.exe	33
PID 1640 wrote to memory of 2832	1640	7loader.exe	34
PID 1640 wrote to memory of 2832	1640	7loader.exe	34
PID 1640 wrote to memory of 2832	1640	7loader.exe	34
PID 1640 wrote to memory of 2832	1640	7loader.exe	34
PID 2832 wrote to memory of 2636	2832	powershell.exe	36
PID 2832 wrote to memory of 2636	2832	powershell.exe	36
PID 2832 wrote to memory of 2636	2832	powershell.exe	36
PID 2832 wrote to memory of 2636	2832	powershell.exe	36
PID 1640 wrote to memory of 2644	1640	7loader.exe	37
PID 1640 wrote to memory of 2644	1640	7loader.exe	37
PID 1640 wrote to memory of 2644	1640	7loader.exe	37
PID 1640 wrote to memory of 2644	1640	7loader.exe	37
PID 2644 wrote to memory of 1708	2644	powershell.exe	39
PID 2644 wrote to memory of 1708	2644	powershell.exe	39
PID 2644 wrote to memory of 1708	2644	powershell.exe	39
PID 2644 wrote to memory of 1708	2644	powershell.exe	39

C:\Users\Admin\AppData\Local\Temp\2\7loader.exe
"C:\Users\Admin\AppData\Local\Temp\2\7loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Reiop'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Reiop
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a088c5ca024422addd7cdbab2a360860

SHA1
4a1c82e8f348e445c779002c72c66d30ec693ee3

SHA256
70039ac3a1c0a96d0a42de483b239f271cdac72010e0ef28f409dc68b20537f2

SHA512
7cceec29aecae0eb2cc886e044236645d4160af771eed56b5ebeb4f741c0ad291e7644bb30fe4b150b6116559d87db897f06a4f4d2b7c586a54030b557e4a804

Download Submit
memory/1640-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1640-1-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/1640-2-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-25-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-20-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1908-5-0x0000000071001000-0x0000000071002000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x0000000071000000-0x00000000715AB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-7-0x0000000071000000-0x00000000715AB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-13-0x0000000071000000-0x00000000715AB000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads