12ca4ad8cd613c8d086cd39a5c6e787c12209f2271ba850817b72eae3cd559da

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT18.exe
Size

12KB
MD5

ceb5022b92f0429137dc0fb67371e901
SHA1

999932b537591401dfa1a74df00dae99264bd994
SHA256

8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b
SHA512

a7acdf417ef81f131c050bc8bd364edddf7a2ebc446c69411d549c14ca8967af7b8c8a2d4556018f148d1b57bc985e10104cdc72e2bed518cfe3280b0254a3d8
SSDEEP

192:knUbCDQoJq4Hb0jPuiJddudb7Z+XX1cNIQKXy+AFtaffEOsSRMWSVP1W58:kg3MGWimFNIQKX4Fgf8OxRBSVU

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
2440	powershell.exe
2860	powershell.exe
2620	powershell.exe
2672	powershell.exe
3036	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1388	1304	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TT18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2188	powershell.exe
2440	powershell.exe
2860	powershell.exe
2620	powershell.exe
2672	powershell.exe
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	TT18.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2188	1304	TT18.exe	31
PID 1304 wrote to memory of 2188	1304	TT18.exe	31
PID 1304 wrote to memory of 2188	1304	TT18.exe	31
PID 1304 wrote to memory of 2188	1304	TT18.exe	31
PID 2188 wrote to memory of 2440	2188	powershell.exe	33
PID 2188 wrote to memory of 2440	2188	powershell.exe	33
PID 2188 wrote to memory of 2440	2188	powershell.exe	33
PID 2188 wrote to memory of 2440	2188	powershell.exe	33
PID 1304 wrote to memory of 2860	1304	TT18.exe	34
PID 1304 wrote to memory of 2860	1304	TT18.exe	34
PID 1304 wrote to memory of 2860	1304	TT18.exe	34
PID 1304 wrote to memory of 2860	1304	TT18.exe	34
PID 2860 wrote to memory of 2620	2860	powershell.exe	36
PID 2860 wrote to memory of 2620	2860	powershell.exe	36
PID 2860 wrote to memory of 2620	2860	powershell.exe	36
PID 2860 wrote to memory of 2620	2860	powershell.exe	36
PID 1304 wrote to memory of 2672	1304	TT18.exe	37
PID 1304 wrote to memory of 2672	1304	TT18.exe	37
PID 1304 wrote to memory of 2672	1304	TT18.exe	37
PID 1304 wrote to memory of 2672	1304	TT18.exe	37
PID 2672 wrote to memory of 3036	2672	powershell.exe	39
PID 2672 wrote to memory of 3036	2672	powershell.exe	39
PID 2672 wrote to memory of 3036	2672	powershell.exe	39
PID 2672 wrote to memory of 3036	2672	powershell.exe	39
PID 1304 wrote to memory of 1388	1304	TT18.exe	40
PID 1304 wrote to memory of 1388	1304	TT18.exe	40
PID 1304 wrote to memory of 1388	1304	TT18.exe	40
PID 1304 wrote to memory of 1388	1304	TT18.exe	40

C:\Users\Admin\AppData\Local\Temp\TT18.exe
"C:\Users\Admin\AppData\Local\Temp\TT18.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\GZmTiolcH4'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\GZmTiolcH4
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1276
  2⤵
  - Program crash
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3a57d47985ccb511c32c8d719c8120cb

SHA1
e1d10f98552940acb832ca33530f15f7e60f700e

SHA256
9270bc285891b797c99b6cf6abc84a3a32419e31c9ebbe7423d5c50f1498284d

SHA512
505446a28a937524bfd210c45615a01b8f0aee4cfb8ad908dc274700c2dc57ef5d321dc2a16c31f66ca46664ba10817c7f4123825cbd8817e79cdd2fa5ae85fd

Download Submit
memory/1304-1-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1304-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-39-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-38-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-32-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/1304-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/2188-8-0x00000000715B0000-0x0000000071B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-15-0x00000000715B0000-0x0000000071B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-9-0x00000000715B0000-0x0000000071B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-7-0x00000000715B0000-0x0000000071B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-6-0x00000000715B0000-0x0000000071B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-5-0x00000000715B1000-0x00000000715B2000-memory.dmp

Filesize
4KB

Download