2bb2c59d97f7aa971f1fcd7518fcf4331550029765b0943f84d32d5eec603760

General

Target

2/7loader.exe
Size

21KB
MD5

489d2bb73c3c5b44e0f315b2ce9381b3
SHA1

4b08586aee68bee50c1f5aaadf1afafe30743b48
SHA256

849ae339eb4480f2f3187b50c1413e187bed698b2a196e515eb219244e2e8dd8
SHA512

1eec009178f92f3d4cd6813aa17a6a55c1ddb174811cca662f709e45a23ccc5ce847238f442aa1bca7edc2e4c9865fb0f32781df5d7d7f8ca9c78190c025fdec
SSDEEP

384:V0KxGphJ6zC2eEF/dHoCkX73hDsSfkksLxG5wrNv+a2VSDSaVrr:+6zCY/+X7kpG5wrNGa2VSDSal

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2780 powershell.exe
2300 powershell.exe
2796 powershell.exe
2336 powershell.exe
2892 powershell.exe
2828 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2780	powershell.exe
2300	powershell.exe
2796	powershell.exe
2336	powershell.exe
2892	powershell.exe
2828	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exe7loader.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2336 powershell.exe
2892 powershell.exe
2828 powershell.exe
2780 powershell.exe
2300 powershell.exe
2796 powershell.exe

pid	process
2336	powershell.exe
2892	powershell.exe
2828	powershell.exe
2780	powershell.exe
2300	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7loader.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1860	7loader.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7loader.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1860 wrote to memory of 2336	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2336	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2336	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2336	1860	7loader.exe	powershell.exe
PID 2336 wrote to memory of 2892	2336	powershell.exe	powershell.exe
PID 2336 wrote to memory of 2892	2336	powershell.exe	powershell.exe
PID 2336 wrote to memory of 2892	2336	powershell.exe	powershell.exe
PID 2336 wrote to memory of 2892	2336	powershell.exe	powershell.exe
PID 1860 wrote to memory of 2828	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2828	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2828	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2828	1860	7loader.exe	powershell.exe
PID 2828 wrote to memory of 2780	2828	powershell.exe	powershell.exe
PID 2828 wrote to memory of 2780	2828	powershell.exe	powershell.exe
PID 2828 wrote to memory of 2780	2828	powershell.exe	powershell.exe
PID 2828 wrote to memory of 2780	2828	powershell.exe	powershell.exe
PID 1860 wrote to memory of 2300	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2300	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2300	1860	7loader.exe	powershell.exe
PID 1860 wrote to memory of 2300	1860	7loader.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	powershell.exe	powershell.exe
PID 2300 wrote to memory of 2796	2300	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2\7loader.exe
"C:\Users\Admin\AppData\Local\Temp\2\7loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Reiop'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Reiop
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8bcd29a325c396ab333cb95c5b7cf6ca

SHA1
40bc03232015d4f9bdb853957ea813c831202de4

SHA256
bb627ee8b200defc87d7200257604355a9e73f36adec81ea07aecaa7e56e534b

SHA512
3c2450853931da2f887eeb7646edcd5dea2bfc54a21f28a64dd4dd6404c7210a4442038b2a03812c6d492829550a41c441a54a7e8e666d5b4053e915d5adc29d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1860-1-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/1860-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1860-21-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/1860-22-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1860-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x0000000071930000-0x0000000071EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-9-0x0000000071930000-0x0000000071EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-15-0x0000000071930000-0x0000000071EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-7-0x0000000071930000-0x0000000071EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-5-0x0000000002DB0000-0x0000000002DF0000-memory.dmp

Filesize
256KB

Download
memory/2336-6-0x0000000071931000-0x0000000071932000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads