abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4ade

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
Size

964KB
MD5

ceb204ea34f5fb871c3d6cb84d6412a0
SHA1

705a6497dfbd6b8b35c0a5dc0d0170f29d1e90d9
SHA256

abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4ade
SHA512

cadba3cfa0282953cc729f62cc391d27efd77845b475ca9bf5dad905aa07e89b29bcdf098a85e34b0475871d019b8385b576a022d568f3ef70a05a14c42887e4
SSDEEP

12288:1Cb+eCSmSykDxVpYxfkC/ORUTzNV8y1A3P2quSfIIsVSV2aOoJhqE2gytJXrkR:MCoBxVWx9ORmzAu0PVAfE2gytJXu

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
2676	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
2676	powershell.exe
2912	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2912	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	30
PID 2876 wrote to memory of 2912	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	30
PID 2876 wrote to memory of 2912	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	30
PID 2876 wrote to memory of 2912	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	30
PID 2876 wrote to memory of 2676	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	32
PID 2876 wrote to memory of 2676	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	32
PID 2876 wrote to memory of 2676	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	32
PID 2876 wrote to memory of 2676	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	32
PID 2876 wrote to memory of 2708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	34
PID 2876 wrote to memory of 2708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	34
PID 2876 wrote to memory of 2708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	34
PID 2876 wrote to memory of 2708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	34
PID 2876 wrote to memory of 1476	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	36
PID 2876 wrote to memory of 1476	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	36
PID 2876 wrote to memory of 1476	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	36
PID 2876 wrote to memory of 1476	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	36
PID 2876 wrote to memory of 708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	37
PID 2876 wrote to memory of 708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	37
PID 2876 wrote to memory of 708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	37
PID 2876 wrote to memory of 708	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	37
PID 2876 wrote to memory of 2900	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	38
PID 2876 wrote to memory of 2900	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	38
PID 2876 wrote to memory of 2900	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	38
PID 2876 wrote to memory of 2900	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	38
PID 2876 wrote to memory of 2548	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	39
PID 2876 wrote to memory of 2548	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	39
PID 2876 wrote to memory of 2548	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	39
PID 2876 wrote to memory of 2548	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	39
PID 2876 wrote to memory of 528	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	40
PID 2876 wrote to memory of 528	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	40
PID 2876 wrote to memory of 528	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	40
PID 2876 wrote to memory of 528	2876	abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe	40

C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
"C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\upCSTLfHzsQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\upCSTLfHzsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5FD.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
  "C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
  "C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
  2⤵
  PID:708
- C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
  "C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
  "C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe
  "C:\Users\Admin\AppData\Local\Temp\abdcdab6bbb236063e2e8eeba4c42a18fca87491dd340c90cba6c40c85db4adeN.exe"
  2⤵
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC5FD.tmp

Filesize
1KB

MD5
fa24b0b5e46d6574106c042c17a574d0

SHA1
eea8dec544cbae867a1e3a3c7c15f25e12bc6688

SHA256
76b92ed7c39ed1251c638f1038b3eedbc6e088c4a7b24b42ac72e13a02e5c4f1

SHA512
fca14262bf1c9b806d65d2e65a06037aabbd0593a2eee2b64e05899a9fdcc71751fa68e7e1ca225ddb8143f2ed43be58539c7989dd8d6dcdbf41d6e9fa13ba45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E065YAYUCC57AISP8I0F.temp

Filesize
7KB

MD5
47fd41b6496d4e51c460e3c9cb39ffd0

SHA1
ab8e1c6bd2231b032c1af0b0e621adb50738218c

SHA256
c031a049c6e3e6a5fa37b0ac0626fafd4fc9a195abb77d704ca56aec0e50aeb8

SHA512
152d2f8a2062f99a132adc8be4465ff948e2ff143680f9e44eeaf72c45b1edc1e360210856f64b506d9832fe4d17d063cb0bc92c7102ddd5b8ab4499c888e5cd

Download Submit
memory/2876-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000000170000-0x0000000000264000-memory.dmp

Filesize
976KB

Download
memory/2876-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-3-0x00000000006A0000-0x00000000006BC000-memory.dmp

Filesize
112KB

Download
memory/2876-4-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/2876-5-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-6-0x0000000004E80000-0x0000000004F40000-memory.dmp

Filesize
768KB

Download
memory/2876-19-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download