8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/11/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT18.exe
Size

12KB
MD5

ceb5022b92f0429137dc0fb67371e901
SHA1

999932b537591401dfa1a74df00dae99264bd994
SHA256

8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b
SHA512

a7acdf417ef81f131c050bc8bd364edddf7a2ebc446c69411d549c14ca8967af7b8c8a2d4556018f148d1b57bc985e10104cdc72e2bed518cfe3280b0254a3d8
SSDEEP

192:knUbCDQoJq4Hb0jPuiJddudb7Z+XX1cNIQKXy+AFtaffEOsSRMWSVP1W58:kg3MGWimFNIQKX4Fgf8OxRBSVU

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
560	powershell.exe
1560	powershell.exe
2696	powershell.exe
2172	powershell.exe
2264	powershell.exe
1292	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	1404	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TT18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1560	powershell.exe
2696	powershell.exe
2172	powershell.exe
2264	powershell.exe
1292	powershell.exe
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	TT18.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1560	1404	TT18.exe	32
PID 1404 wrote to memory of 1560	1404	TT18.exe	32
PID 1404 wrote to memory of 1560	1404	TT18.exe	32
PID 1404 wrote to memory of 1560	1404	TT18.exe	32
PID 1560 wrote to memory of 2696	1560	powershell.exe	34
PID 1560 wrote to memory of 2696	1560	powershell.exe	34
PID 1560 wrote to memory of 2696	1560	powershell.exe	34
PID 1560 wrote to memory of 2696	1560	powershell.exe	34
PID 1404 wrote to memory of 2172	1404	TT18.exe	35
PID 1404 wrote to memory of 2172	1404	TT18.exe	35
PID 1404 wrote to memory of 2172	1404	TT18.exe	35
PID 1404 wrote to memory of 2172	1404	TT18.exe	35
PID 2172 wrote to memory of 2264	2172	powershell.exe	37
PID 2172 wrote to memory of 2264	2172	powershell.exe	37
PID 2172 wrote to memory of 2264	2172	powershell.exe	37
PID 2172 wrote to memory of 2264	2172	powershell.exe	37
PID 1404 wrote to memory of 1292	1404	TT18.exe	38
PID 1404 wrote to memory of 1292	1404	TT18.exe	38
PID 1404 wrote to memory of 1292	1404	TT18.exe	38
PID 1404 wrote to memory of 1292	1404	TT18.exe	38
PID 1292 wrote to memory of 560	1292	powershell.exe	40
PID 1292 wrote to memory of 560	1292	powershell.exe	40
PID 1292 wrote to memory of 560	1292	powershell.exe	40
PID 1292 wrote to memory of 560	1292	powershell.exe	40
PID 1404 wrote to memory of 2608	1404	TT18.exe	41
PID 1404 wrote to memory of 2608	1404	TT18.exe	41
PID 1404 wrote to memory of 2608	1404	TT18.exe	41
PID 1404 wrote to memory of 2608	1404	TT18.exe	41

C:\Users\Admin\AppData\Local\Temp\TT18.exe
"C:\Users\Admin\AppData\Local\Temp\TT18.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\f4U6JeYse'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\f4U6JeYse
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1272
  2⤵
  - Program crash
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c455eb5545e18eb066d93bb3def7e5fe

SHA1
96e0f28ccb897ed8c60b29711459fe0ca02508cb

SHA256
720aa8c0d382c26f3621edbcd8fc47e3e39832e03f31fc4890a64f0a3f763aa0

SHA512
1597902aadf0ca510864926d03b91ffdbebf1773044be26a25b912c7baf995f1119d8a70caa25372a36719cac3abb7fe0dfbc0495791eb11cd4722ac6d640260

Download Submit
memory/1404-1-0x00000000013B0000-0x00000000013BA000-memory.dmp

Filesize
40KB

Download
memory/1404-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-38-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-37-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-36-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/1404-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/1560-7-0x0000000070E00000-0x00000000713AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-9-0x0000000070E00000-0x00000000713AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-15-0x0000000070E00000-0x00000000713AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-8-0x0000000070E00000-0x00000000713AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-6-0x0000000070E00000-0x00000000713AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-5-0x0000000070E01000-0x0000000070E02000-memory.dmp

Filesize
4KB

Download