Overview

overview

10

Static

static

3

MB267382625AE.exe

windows7-x64

8

MB267382625AE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MB267382625AE.exe

  • Size

    542KB

  • MD5

    30cfd90585ed8d00c8f6507409beff00

  • SHA1

    6ab2aa9cca85d4cda78da92336d7c0c5939a44c2

  • SHA256

    50603d9481c76ac7052a18320666f9206f6729c78fdb779c0e7010952eaede26

  • SHA512

    492500ec44b30342e0b51089fff9067c79de7f835db8b001d7abc613a09bf367302509b2d35b457a9a493a9a12f06f4e7c59b34ad3c2be3e7a403a965a5cf8e6

  • SSDEEP

    12288:jao7oKJ3A0bKPXubDq+YRvHpkGN6l2lH4Wp0QEqvfjULr4nI:+o7oq3rbDqzBNNeq/LULr4

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe
    "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IFUybmFQxR.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IFUybmFQxR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2372
    • C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe
      "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
      2⤵
        PID:2772
      • C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe
        "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
        2⤵
          PID:2820
        • C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe
          "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
          2⤵
            PID:2828
          • C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe
            "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
            2⤵
              PID:2756
            • C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe
              "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"
              2⤵
                PID:1792

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp
              Filesize

              1KB

              MD5

              0ad3f5ceaacc99bb94d6248097b523d6

              SHA1

              fd18543557e7d6e9bde185120c1114879316ae64

              SHA256

              639b372918dcf59287e3ad94e048e328621bbd21f0cc1b50f21313c4078e894d

              SHA512

              7004500797ad86addfc610496e9b85d3e75d9eb64a4239e7b58e05e2d37a58f6b042d69fdff6948ffa515da49902b85b4bca565690561e9f8919393734ef9daf

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              6998c1a493cb15d0051402b7beb64b87

              SHA1

              b763c20e34f4cb3db37a5fccfb46273b145e1eb7

              SHA256

              81abb3b7cdddb291987c70b651fc28583b67943e1b3a49ffb64370137a915e29

              SHA512

              177e31c0c8ee2732a9f646f1a5d73bd56b614b867e11ede6c77ba0cd1343377cb7b0c4f5fe5cde120745819ea78d6a38240ff1008ab240707d9dbcc1ea042d2c

              Download Submit

            • memory/2232-0-0x000000007465E000-0x000000007465F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2232-1-0x00000000003E0000-0x000000000046E000-memory.dmp

              Filesize

              568KB

              Download

            • memory/2232-2-0x0000000074650000-0x0000000074D3E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2232-3-0x000000007465E000-0x000000007465F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2232-4-0x0000000000470000-0x0000000000482000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2232-5-0x0000000074650000-0x0000000074D3E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2232-6-0x00000000049A0000-0x0000000004A0C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2232-19-0x0000000074650000-0x0000000074D3E000-memory.dmp

              Filesize

              6.9MB

              Download