fe91eaf1edcfee57a57e9cc45b61d539cc8f3088f111799ef711830a7400234e

General

Target

ЦИТАТА.exe
Size

676KB
MD5

57d485ab07368d3d7fbd1b62b8bb6a5f
SHA1

15749ab51781854689d73a7f7a94d6052546fa9a
SHA256

2efd54686c3942f7778ae4ad63c002e50d1fd2a08fac36ac770dff40cb3e3788
SHA512

7abdbfad7c6ba7956b580c6656d4224ac5023c6df7754a35025bd82b6190f543cd35bf220e3130070799599b10b7b017e2a262d971fab29dd62e2c372a4b6118
SSDEEP

12288:vrOd+Ri3AgFd13C1/CYU0EY5ZLl2YFye+JwP78lprlDfB:tQ3Ag13EKx0BR+2YlppD5

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe
2760	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2784	2148	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ЦИТАТА.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2148	ЦИТАТА.exe
2148	ЦИТАТА.exe
2148	ЦИТАТА.exe
2880	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	ЦИТАТА.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2760	2148	ЦИТАТА.exe	31
PID 2148 wrote to memory of 2760	2148	ЦИТАТА.exe	31
PID 2148 wrote to memory of 2760	2148	ЦИТАТА.exe	31
PID 2148 wrote to memory of 2760	2148	ЦИТАТА.exe	31
PID 2148 wrote to memory of 2880	2148	ЦИТАТА.exe	33
PID 2148 wrote to memory of 2880	2148	ЦИТАТА.exe	33
PID 2148 wrote to memory of 2880	2148	ЦИТАТА.exe	33
PID 2148 wrote to memory of 2880	2148	ЦИТАТА.exe	33
PID 2148 wrote to memory of 3036	2148	ЦИТАТА.exe	34
PID 2148 wrote to memory of 3036	2148	ЦИТАТА.exe	34
PID 2148 wrote to memory of 3036	2148	ЦИТАТА.exe	34
PID 2148 wrote to memory of 3036	2148	ЦИТАТА.exe	34
PID 2148 wrote to memory of 2784	2148	ЦИТАТА.exe	37
PID 2148 wrote to memory of 2784	2148	ЦИТАТА.exe	37
PID 2148 wrote to memory of 2784	2148	ЦИТАТА.exe	37
PID 2148 wrote to memory of 2784	2148	ЦИТАТА.exe	37

C:\Users\Admin\AppData\Local\Temp\ЦИТАТА.exe
"C:\Users\Admin\AppData\Local\Temp\ЦИТАТА.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ЦИТАТА.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tOaFoZLjud.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tOaFoZLjud" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2211.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1052
  2⤵
  - Program crash
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2211.tmp

Filesize
1KB

MD5
f0d4360e0429b36d53975644c25011fb

SHA1
35eb83ec27eee52b9e3521f6a281474c163f7481

SHA256
104753cacdad2a57d9182a7f0814c629c21b3a42a46d6d99c7a47be9740b79cf

SHA512
974f1ecba987a64194a37ba9adb4f07c17faed166efe621c0f057635699ddf18673fece33485365fb07203a3003a282a27c767462e2aa1b1676f1e2d19c84247

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6LDFYFBNF61Z24NEOY2L.temp

Filesize
7KB

MD5
d2dd151a62097f2a0a4ec6d8385b3424

SHA1
2e882b4de582631fae48c073f03853a456c2291a

SHA256
f3dc2dd202a8be395f7630ab8a40f14b4e90419a30747eabb0bcc77a8aadd922

SHA512
b7d091e3aaca7fe3195cfbeb229631436fd45dffe61250fc7007cb62db5fa2457cb82bbaf3b35216401b1bfd1aa405442e3af6cfa40a6fbd7f468f5db978d3cb

Download Submit
memory/2148-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2148-1-0x00000000013B0000-0x000000000145E000-memory.dmp

Filesize
696KB

Download
memory/2148-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-3-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2148-4-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-5-0x0000000004EC0000-0x0000000004F38000-memory.dmp

Filesize
480KB

Download
memory/2148-18-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads