Overview

overview

10

Static

static

3

b7b3d5ad8f...51.exe

windows7-x64

8

b7b3d5ad8f...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe

  • Size

    6.5MB

  • MD5

    d9f1033188bc03ca4b9b95198b4cd9e3

  • SHA1

    1c68b9f83e080cce44c83d7db3257f38a6a596d0

  • SHA256

    b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051

  • SHA512

    6d0dd5db5da24b04aa03d3d370a31b5aa421a68f2d81eae291f6ab064541ac395b2dd0553c4fe89ffdc416261738969d66d187f6ee813e8bfed18daa383a2997

  • SSDEEP

    196608:zR668aaELtR668aaELPR668aaELZR668aaELW:zp8aawp8aayp8aa8p8aaZ

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe
    "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9D9.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2340
    • C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe
      "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
      2⤵
        PID:2676
      • C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe
        "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
        2⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe
          "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
          2⤵
            PID:2628
          • C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe
            "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
            2⤵
              PID:2624
            • C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe
              "C:\Users\Admin\AppData\Local\Temp\b7b3d5ad8fc8c3a000b06f1de7b637959dc6e4489ad81077fa4350159c7e3051.exe"
              2⤵
                PID:2644

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpF9D9.tmp
              Filesize

              1KB

              MD5

              9028ec09041a481937b1c4ab49cfb89a

              SHA1

              7386d2d2e75bf29f9aa5ffb53f53b63c9393a2da

              SHA256

              320095fee55ae40198538d85634a3ec2adc22c7e4d2b5ed0b2079cda267ecf26

              SHA512

              990050d2055a976e7595b598944ef73e3decd3c63e2a69b83099e05af2701732c877a20fcab757eda8bdeefc326c7a4df5c377d92de1c5b1a7e05b22f2be7d7d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JZKMPOG81S7GLWOYE5VD.temp
              Filesize

              7KB

              MD5

              f540270810282a02078ec077e62f69d5

              SHA1

              c7e478a07056b4399b9b185c80f62f5adc734997

              SHA256

              e2277e5edc1154b4ea3ead623b16b541365569eaddb9e6f6a047440350fd8f2f

              SHA512

              2a5e099aa58340464eea0d6c323dade1c2b405713cf5ef41e2006948054a1a55cd8cc39298f35d1e41bba96be3d09f76ff15ab525d45e671ffc446ac53666733

              Download Submit

            • memory/2560-0-0x000000007402E000-0x000000007402F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2560-1-0x0000000000310000-0x0000000000996000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/2560-2-0x0000000074020000-0x000000007470E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2560-3-0x0000000000A60000-0x0000000000A78000-memory.dmp

              Filesize

              96KB

              Download

            • memory/2560-4-0x000000007402E000-0x000000007402F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2560-5-0x0000000074020000-0x000000007470E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2560-6-0x0000000005620000-0x000000000579E000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2560-19-0x0000000074020000-0x000000007470E000-memory.dmp

              Filesize

              6.9MB

              Download