8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b

General

Target

8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe
Size

26.0MB
MD5

13eb2bb3303156d695ecf3f2b2c09eb7
SHA1

db1f2877681d02201c6c9d71d8c52a872c3612b9
SHA256

8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b
SHA512

6f44a7f1612f0eb4843c1e0de757a03f53d2b14e7aa8b7f983c2ca9baf0701d30f129edeab9c889655840782a1289fb4d0bf0699223e3c584afdaa4ee5172172
SSDEEP

192:0qgaiJUFTQcHVPtAXjJ9vT2O3yP8B50LOZdBcmCEJXVWwTnkVOvQu:57zFEcH769vT2OCkB50LknnVTnkVUQ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe
2632	powershell.exe
2660	powershell.exe
496	powershell.exe
2488	powershell.exe
2828	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2488	powershell.exe
2828	powershell.exe
1592	powershell.exe
2632	powershell.exe
2660	powershell.exe
496	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2488	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	31
PID 3012 wrote to memory of 2488	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	31
PID 3012 wrote to memory of 2488	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	31
PID 3012 wrote to memory of 2488	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	31
PID 2488 wrote to memory of 2828	2488	powershell.exe	33
PID 2488 wrote to memory of 2828	2488	powershell.exe	33
PID 2488 wrote to memory of 2828	2488	powershell.exe	33
PID 2488 wrote to memory of 2828	2488	powershell.exe	33
PID 3012 wrote to memory of 1592	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	34
PID 3012 wrote to memory of 1592	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	34
PID 3012 wrote to memory of 1592	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	34
PID 3012 wrote to memory of 1592	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	34
PID 1592 wrote to memory of 2632	1592	powershell.exe	36
PID 1592 wrote to memory of 2632	1592	powershell.exe	36
PID 1592 wrote to memory of 2632	1592	powershell.exe	36
PID 1592 wrote to memory of 2632	1592	powershell.exe	36
PID 3012 wrote to memory of 2660	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	37
PID 3012 wrote to memory of 2660	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	37
PID 3012 wrote to memory of 2660	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	37
PID 3012 wrote to memory of 2660	3012	8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe	37
PID 2660 wrote to memory of 496	2660	powershell.exe	39
PID 2660 wrote to memory of 496	2660	powershell.exe	39
PID 2660 wrote to memory of 496	2660	powershell.exe	39
PID 2660 wrote to memory of 496	2660	powershell.exe	39

C:\Users\Admin\AppData\Local\Temp\8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe
"C:\Users\Admin\AppData\Local\Temp\8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\DlzIIsmYma'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\DlzIIsmYma
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9c87c4866be69e598d79063c55824c66

SHA1
cc5991c1f34c018fb4fd8b11fff84a4641730293

SHA256
e3d4e92b4d57c0294f5b022bf4d2668e8f5182ab65fcf3d56a94c446487e8c50

SHA512
86aa35bc17b19797b10f8cc3c61b3aabcd379c909c65c82fe1b215cd7663f426eada92d8399b82c6afffa137225651e2ca97d48a238984b7c82be5ab0a204a82

Download Submit
memory/2488-4-0x0000000070C91000-0x0000000070C92000-memory.dmp

Filesize
4KB

Download
memory/2488-5-0x0000000070C90000-0x000000007123B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-6-0x0000000070C90000-0x000000007123B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-7-0x0000000070C90000-0x000000007123B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-13-0x0000000070C90000-0x000000007123B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-0-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/3012-30-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/3012-36-0x0000000004530000-0x0000000004570000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing