e84025b89f099a3391657130136a12bbab866875315b4e54d3c28aee1f636777

General

Target

f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe
Size

13KB
MD5

22bded153b8c1ec4b1d1b45e0467f7c6
SHA1

1c8825442a455da9ffa0fd56e0e2848dfa58bf2c
SHA256

f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052
SHA512

f6022cbf7120e1771e7ba992bcd59ba5f8f68507d91c10c997a3186766547ea0632347facfdec667c3bde261748eb93ee8df35c71600fd7c459539f629b408bb
SSDEEP

192:0qgaiJUFTQcHVPtAXjJ9vT2O3yP8B50LOZdBcmCEJXVWwTnkVOvQu:57zFEcH769vT2OCkB50LknnVTnkVUQ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2540	powershell.exe
2880	powershell.exe
2824	powershell.exe
2772	powershell.exe
1796	powershell.exe
2012	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2540	powershell.exe
2880	powershell.exe
2824	powershell.exe
2772	powershell.exe
1796	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2540	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	32
PID 1992 wrote to memory of 2540	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	32
PID 1992 wrote to memory of 2540	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	32
PID 1992 wrote to memory of 2540	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	32
PID 2540 wrote to memory of 2880	2540	powershell.exe	34
PID 2540 wrote to memory of 2880	2540	powershell.exe	34
PID 2540 wrote to memory of 2880	2540	powershell.exe	34
PID 2540 wrote to memory of 2880	2540	powershell.exe	34
PID 1992 wrote to memory of 2824	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	35
PID 1992 wrote to memory of 2824	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	35
PID 1992 wrote to memory of 2824	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	35
PID 1992 wrote to memory of 2824	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	35
PID 2824 wrote to memory of 2772	2824	powershell.exe	37
PID 2824 wrote to memory of 2772	2824	powershell.exe	37
PID 2824 wrote to memory of 2772	2824	powershell.exe	37
PID 2824 wrote to memory of 2772	2824	powershell.exe	37
PID 1992 wrote to memory of 1796	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	38
PID 1992 wrote to memory of 1796	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	38
PID 1992 wrote to memory of 1796	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	38
PID 1992 wrote to memory of 1796	1992	f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe	38
PID 1796 wrote to memory of 2012	1796	powershell.exe	40
PID 1796 wrote to memory of 2012	1796	powershell.exe	40
PID 1796 wrote to memory of 2012	1796	powershell.exe	40
PID 1796 wrote to memory of 2012	1796	powershell.exe	40

C:\Users\Admin\AppData\Local\Temp\f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe
"C:\Users\Admin\AppData\Local\Temp\f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\oTcvUxPgZR'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\oTcvUxPgZR
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
30b7adcaeddb078da6b5bb452fc50673

SHA1
eece97bac08c41d28498491b9dbef150e9a0b7d1

SHA256
b80ad07380c048543d709c26a1ce86b8e5a49d4dcde212f10b4ab9b51b2f71ad

SHA512
3b221c98211a09778edf97de140094ea0061d30411b5fa2abeb36fbabb6c299de65cb47a6e73f93033c7264b22a7dea5b3e7d67db366ce652ddae766958ea89f

Download Submit
memory/1992-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/1992-14-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1992-36-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/2540-4-0x0000000071281000-0x0000000071282000-memory.dmp

Filesize
4KB

Download
memory/2540-5-0x0000000071280000-0x000000007182B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-6-0x0000000071280000-0x000000007182B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-7-0x0000000071280000-0x000000007182B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-8-0x0000000071280000-0x000000007182B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-15-0x0000000071280000-0x000000007182B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing