280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
14s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Size

16KB
MD5

ffe4f9b654ff2900c2361444e1b8cc11
SHA1

e19af8a7a59f36f6dc60fccf3fed14558485400c
SHA256

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
SHA512

0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413
SSDEEP

384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2792 powershell.exe
3036 powershell.exe
2544 powershell.exe
2620 powershell.exe

pid	process
2792	powershell.exe
3036	powershell.exe
2544	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe

description	pid	process	target process
PID 880 wrote to memory of 2792	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2792	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2792	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2544	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2544	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2544	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2620	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2620	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 2620	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 3036	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 3036	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe
PID 880 wrote to memory of 3036	880	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
"C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'ISUSED' -PropertyType String -Value 'True'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS1' -PropertyType String -Value 'jKI1AOJiEyyZWRkrS9MJJ/wVpMCsd+Kq'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS2' -PropertyType String -Value 'iDC1xgNkcyY='
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8022ec79d6379a929b3b40a6cf0bbe63

SHA1
78714bbfbc70b88300e7656f28b74e15f3ab82bb

SHA256
180a443504c8855ca82be733420eda15dceddf7ecc256cf43b89cdee74702439

SHA512
5bf60d46fbeaa23b4a51ccd73b6227a64112530eacc302b0989f4ee502a9c8a41b1132a2839054a39fa0d3cf96a1bdfac92ad36520a321f946eef376519f4f04

Download Submit
C:\Users\Admin\Desktop\WHAT_HAPPEND.text

Filesize
1001B

MD5
a62c810eea9a251896ce7dec54ea4510

SHA1
589179ab0c9f962fc0c06438deb3de5cbcd38b6e

SHA256
33b503f866dc442df1dc822a01b330c2c79b8415cc9b195c40880cd43b643097

SHA512
61dfa3127546c4d5b69cf32752288111b06b047e8f336bca698411c42c8642ab952b17e8d84c163d94f60964901accaa0c073b85104ac275b50cab3b9cd8bcd9

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/880-15-0x000000001A7C0000-0x000000001A840000-memory.dmp

Filesize
512KB

Download
memory/880-1-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/880-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2792-8-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-11-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-12-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-13-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-14-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-10-0x000007FEF3240000-0x000007FEF3BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2792-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2792-7-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2792-6-0x000007FEF34FE000-0x000007FEF34FF000-memory.dmp

Filesize
4KB

Download
memory/3036-45-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3036-40-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download