Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
MB267382625AE.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MB267382625AE.exe
Resource
win10v2004-20241007-en
General
-
Target
MB267382625AE.exe
-
Size
542KB
-
MD5
30cfd90585ed8d00c8f6507409beff00
-
SHA1
6ab2aa9cca85d4cda78da92336d7c0c5939a44c2
-
SHA256
50603d9481c76ac7052a18320666f9206f6729c78fdb779c0e7010952eaede26
-
SHA512
492500ec44b30342e0b51089fff9067c79de7f835db8b001d7abc613a09bf367302509b2d35b457a9a493a9a12f06f4e7c59b34ad3c2be3e7a403a965a5cf8e6
-
SSDEEP
12288:jao7oKJ3A0bKPXubDq+YRvHpkGN6l2lH4Wp0QEqvfjULr4nI:+o7oq3rbDqzBNNeq/LULr4
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2596 powershell.exe 2316 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MB267382625AE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2232 MB267382625AE.exe 2316 powershell.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2232 MB267382625AE.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2316 2232 MB267382625AE.exe 31 PID 2232 wrote to memory of 2316 2232 MB267382625AE.exe 31 PID 2232 wrote to memory of 2316 2232 MB267382625AE.exe 31 PID 2232 wrote to memory of 2316 2232 MB267382625AE.exe 31 PID 2232 wrote to memory of 2596 2232 MB267382625AE.exe 33 PID 2232 wrote to memory of 2596 2232 MB267382625AE.exe 33 PID 2232 wrote to memory of 2596 2232 MB267382625AE.exe 33 PID 2232 wrote to memory of 2596 2232 MB267382625AE.exe 33 PID 2232 wrote to memory of 2372 2232 MB267382625AE.exe 34 PID 2232 wrote to memory of 2372 2232 MB267382625AE.exe 34 PID 2232 wrote to memory of 2372 2232 MB267382625AE.exe 34 PID 2232 wrote to memory of 2372 2232 MB267382625AE.exe 34 PID 2232 wrote to memory of 2772 2232 MB267382625AE.exe 37 PID 2232 wrote to memory of 2772 2232 MB267382625AE.exe 37 PID 2232 wrote to memory of 2772 2232 MB267382625AE.exe 37 PID 2232 wrote to memory of 2772 2232 MB267382625AE.exe 37 PID 2232 wrote to memory of 2820 2232 MB267382625AE.exe 38 PID 2232 wrote to memory of 2820 2232 MB267382625AE.exe 38 PID 2232 wrote to memory of 2820 2232 MB267382625AE.exe 38 PID 2232 wrote to memory of 2820 2232 MB267382625AE.exe 38 PID 2232 wrote to memory of 2828 2232 MB267382625AE.exe 39 PID 2232 wrote to memory of 2828 2232 MB267382625AE.exe 39 PID 2232 wrote to memory of 2828 2232 MB267382625AE.exe 39 PID 2232 wrote to memory of 2828 2232 MB267382625AE.exe 39 PID 2232 wrote to memory of 2756 2232 MB267382625AE.exe 40 PID 2232 wrote to memory of 2756 2232 MB267382625AE.exe 40 PID 2232 wrote to memory of 2756 2232 MB267382625AE.exe 40 PID 2232 wrote to memory of 2756 2232 MB267382625AE.exe 40 PID 2232 wrote to memory of 1792 2232 MB267382625AE.exe 41 PID 2232 wrote to memory of 1792 2232 MB267382625AE.exe 41 PID 2232 wrote to memory of 1792 2232 MB267382625AE.exe 41 PID 2232 wrote to memory of 1792 2232 MB267382625AE.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IFUybmFQxR.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IFUybmFQxR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"2⤵PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"2⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"2⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"2⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"C:\Users\Admin\AppData\Local\Temp\MB267382625AE.exe"2⤵PID:1792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50ad3f5ceaacc99bb94d6248097b523d6
SHA1fd18543557e7d6e9bde185120c1114879316ae64
SHA256639b372918dcf59287e3ad94e048e328621bbd21f0cc1b50f21313c4078e894d
SHA5127004500797ad86addfc610496e9b85d3e75d9eb64a4239e7b58e05e2d37a58f6b042d69fdff6948ffa515da49902b85b4bca565690561e9f8919393734ef9daf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56998c1a493cb15d0051402b7beb64b87
SHA1b763c20e34f4cb3db37a5fccfb46273b145e1eb7
SHA25681abb3b7cdddb291987c70b651fc28583b67943e1b3a49ffb64370137a915e29
SHA512177e31c0c8ee2732a9f646f1a5d73bd56b614b867e11ede6c77ba0cd1343377cb7b0c4f5fe5cde120745819ea78d6a38240ff1008ab240707d9dbcc1ea042d2c