Overview

overview

10

Static

static

3

PO] G_2437...58.exe

windows7-x64

8

PO] G_2437...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO] G_24370-24396_SI2_S25_8658.exe

  • Size

    957KB

  • MD5

    017162607e416c71df1a928cc1b1c050

  • SHA1

    ce9608b1b166a1eca94bcaa8c55dc71f5bbc0778

  • SHA256

    bcf46942b4fdd78b37ed54df727baa7c0b5e944257dce860f3fc8fd19313f520

  • SHA512

    545da1840581bbd1e7aeef14288abc6df839f39a3250b7d3461b73382f55cea04f3f2f6df099b81a6517244b3db182b68c8c14e59970c5f83acb1066f14b3e0e

  • SSDEEP

    24576:t9Orrbz6WzxWnTS/u8OWnMCi3NN2bSUKy:Kz6IWnTrrW/6NN2Ou

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe
    "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zwsiyIumDtxan.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zwsiyIumDtxan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp474.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2732
    • C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe
      "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
      2⤵
        PID:2628
      • C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe
        "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
        2⤵
          PID:2660
        • C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe
          "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
          2⤵
            PID:1664
          • C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe
            "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
            2⤵
              PID:2692
            • C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe
              "C:\Users\Admin\AppData\Local\Temp\PO] G_24370-24396_SI2_S25_8658.exe"
              2⤵
                PID:3012

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp474.tmp
              Filesize

              1KB

              MD5

              a5e2c51f2c3e0798d5854edccc7ea810

              SHA1

              acf7116f081d093be545377915003541d50bc074

              SHA256

              62c2d8ce7bcf9307520e245960f8c41f68879557f573b77091fa57901b78950b

              SHA512

              d6a975ab4a9fff2dcac83d4169d65403ab443761de390226c123635a096edada3c86845e324a88b6650a67ddb2536331b20a4c48cf96945fa6d1e36ed4084f2c

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8KIE9NUDROTKXQHVS6S.temp
              Filesize

              7KB

              MD5

              207ae456beb648a5c7fe879c0d1b7fe1

              SHA1

              5707fef90b326e10d7e7a0cbaa32bd5519c48760

              SHA256

              af788c382ab42ef2ca2b07af495fd59c517812fd1375ad6eba93ac717a33818e

              SHA512

              9f53b5e81347fa168e1202b3bb966b7acc1eec7381dfc8688938d3f89303a946d00a0c3eeda44ce3185fb32b65c9f1780ab17e3d2aac9e99f8cf770f156fed00

              Download Submit

            • memory/2916-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2916-1-0x0000000000340000-0x0000000000436000-memory.dmp

              Filesize

              984KB

              Download

            • memory/2916-2-0x0000000074E80000-0x000000007556E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2916-3-0x00000000005F0000-0x0000000000602000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2916-4-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2916-5-0x0000000074E80000-0x000000007556E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2916-6-0x0000000005340000-0x00000000053C6000-memory.dmp

              Filesize

              536KB

              Download

            • memory/2916-19-0x0000000074E80000-0x000000007556E000-memory.dmp

              Filesize

              6.9MB

              Download