280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Size

16KB
MD5

ffe4f9b654ff2900c2361444e1b8cc11
SHA1

e19af8a7a59f36f6dc60fccf3fed14558485400c
SHA256

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb
SHA512

0c6b6103ec9666dd55549e9825d1b22705eb113ca3e323f4d39ef375ab58280467bc0b2677345929f46f1d558a58d356a8e469b020bb184710b18ee1220a3413
SSDEEP

384:CaeADspZKz4N+D8eoeH2uA1L7P+TPXHTBO:/spIz4N+9F2uA1nqP3g

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2844	powershell.exe
2632	powershell.exe
2592	powershell.exe
2700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 2844	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	31
PID 2316 wrote to memory of 2844	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	31
PID 2316 wrote to memory of 2844	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	31
PID 2316 wrote to memory of 2632	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	32
PID 2316 wrote to memory of 2632	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	32
PID 2316 wrote to memory of 2632	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	32
PID 2316 wrote to memory of 2592	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	34
PID 2316 wrote to memory of 2592	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	34
PID 2316 wrote to memory of 2592	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	34
PID 2316 wrote to memory of 2700	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	36
PID 2316 wrote to memory of 2700	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	36
PID 2316 wrote to memory of 2700	2316	05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe	36

C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
"C:\Users\Admin\AppData\Local\Temp\05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'ISUSED' -PropertyType String -Value 'True'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS1' -PropertyType String -Value '9VXtUKNFmY9BNk5kteYPmfuqhbDolrIn'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path Registry::HKEY_CURRENT_USER\Software -Name 'SYS2' -PropertyType String -Value 'f2k775sdzuk='
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e28f3988710bdd5cfec7b556b97d9d4d

SHA1
4e11ea4780f22c7d051351f3b35ba56e6aab89b6

SHA256
68684035038bcc10283ad444c78e9ef5a3bb3a8bb4f95c38bc9d0db903a11cb9

SHA512
b92b245b527420a491b694f75132dc09c28ff267cc89d8f3abe4972431765ed47c540eaef25ed4c797d5bcb15618b142ef8a4dd639eeef20663c677335d79230

Download Submit
C:\Users\Admin\Desktop\WHAT_HAPPEND.text

Filesize
637B

MD5
cbbc1ff783d8d10267ad774e9d96d2b2

SHA1
865c36ea47d8c40e500f293d3b1db46f76eb7dc6

SHA256
1672664b1b187f79da2130717038afcd69382a47ddbf0c88bd69a501ca774fd7

SHA512
68ed51ce019be7bc67274e41b56098d4ecd31ec96b709efdc9ca1431bd76120d58a8d7b3c2725e43dfeb0006048ba076c43ab42e4b06c20963923eb73fa63781

Download Submit
memory/2316-13-0x000000001AED0000-0x000000001AF50000-memory.dmp

Filesize
512KB

Download
memory/2316-1-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2316-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2632-40-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2632-34-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2844-7-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2844-12-0x000007FEF2E70000-0x000007FEF380D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-11-0x000007FEF2E70000-0x000007FEF380D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-10-0x000007FEF2E70000-0x000007FEF380D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-9-0x000007FEF2E70000-0x000007FEF380D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-8-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2844-6-0x000007FEF312E000-0x000007FEF312F000-memory.dmp

Filesize
4KB

Download