Overview

overview

10

Static

static

3

b47f145575...16.exe

windows7-x64

10

b47f145575...16.exe

windows10-2004-x64

10

$TEMP/K3M6...22.exe

windows7-x64

10

$TEMP/K3M6...22.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    116s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/Selfconvened.exe

  • Size

    4.5MB

  • MD5

    64b5e984fda860eedf19c29a124094fb

  • SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

  • SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

  • SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

  • SSDEEP

    98304:xLIWL25lsofrCgl5PmHGjCYv8LHPrVWPa5Qwy:Fslsofuit0bJWPa5QJ

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\system32\cmd.exe
      "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3040
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2576
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {CD7822F0-546D-4EA6-86BB-A000AA201D25} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:592
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f2002f64302f47f4b5077d443d8bf1e9

    SHA1

    f3d21fcdf004375fc1db6dea57dc578ede1681c7

    SHA256

    9f72b7de74ada5fc628fb5f8d4ef9f7cb4e13894551df76260c531ccb9fb9bc8

    SHA512

    099bff18e3923cdbb104270718984e75fecb2e1de6ab788411964a6da6db35552f69ffc34b09c258698e9ac6dc47d14997b9e4b94bc093f7251b81c44f0ca668

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.6MB

    MD5

    d4e78894075f6d33163a09495bef6a06

    SHA1

    644388ba80132608f1f8b28108e9e846d72fb445

    SHA256

    5cebd33c6f5dee6bba0517ef6c93892516229dd7ebff524ed49551b26b9cf573

    SHA512

    acdbe4da39e41302c4927f9a7ad0ed6ab736290eb1696214f3fff0cbc09625a015f2e236e538d2c826cd9d0af57969d1f860ef91e65c4a55cd884dfd39d275ee

    Download Submit

  • memory/592-33-0x0000000000820000-0x0000000000C9A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1020-21-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1020-20-0x000000001B210000-0x000000001B4F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1492-10-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-4-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-7-0x0000000020EA0000-0x0000000021248000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1492-8-0x0000000021250000-0x00000000214F4000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1492-9-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1492-5-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1492-6-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-3-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-2-0x000000001C560000-0x000000001C918000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1492-34-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1492-1-0x0000000000210000-0x000000000068A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1968-36-0x0000000000E50000-0x00000000012CA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3040-28-0x0000000002660000-0x0000000002668000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3040-27-0x000000001B300000-0x000000001B5E2000-memory.dmp

    Filesize

    2.9MB

    Download