Overview

overview

10

Static

static

3

EIuz8Bk9kGav2ix.exe

windows7-x64

8

EIuz8Bk9kGav2ix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EIuz8Bk9kGav2ix.exe

  • Size

    1002KB

  • MD5

    2e69c1a7d2a987f925aaad945c2ce2b2

  • SHA1

    767d326371a5e8b3e3c85d5a87d3e928364b0e20

  • SHA256

    123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c

  • SHA512

    77bcff731628c92d6a1888db1e05d6bc531607f0fb06f6c735ac8d46a9993bac03ba32461fc461dedcf4e7a3c786a300d981ab0362e92db2cb55453dd65405a6

  • SSDEEP

    24576:50IeeyMLvMqxTE1am3NbYPu5xQBhlbeaI:WBek2TAam9SuxQBhT

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe
    "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RNJBFdvJTXAE.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8CD.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1244
    • C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe
      "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
      2⤵
        PID:884
      • C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe
        "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
        2⤵
          PID:796
        • C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe
          "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
          2⤵
            PID:1492
          • C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe
            "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
            2⤵
              PID:1480
            • C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe
              "C:\Users\Admin\AppData\Local\Temp\EIuz8Bk9kGav2ix.exe"
              2⤵
                PID:2916

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpA8CD.tmp
              Filesize

              1KB

              MD5

              420621411ad9a8f0573dd25f0b5b501c

              SHA1

              ba230b7b236916034c5a66359ff801a7787a18e8

              SHA256

              36279a9a6a7c978d86686787a19d5075176683c0683e2a65acc9c9bf33c2da7c

              SHA512

              81ffa9c78e952611357cddbe700cbc4a622d6665cc635c5864d7b1d6a2703d3bd8d82c2b2fe967d3602a260bcf68b246efa2ed8ac596b426ac88f3e9e00d2e48

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CZTKS0E68G5TV8N8ABA.temp
              Filesize

              7KB

              MD5

              565a14ac7a74fe7eb7a356a3ad7abeec

              SHA1

              5b6fc81c05c6ba583afade427e7a4387603ca0df

              SHA256

              539e8cecde38d8492e740251cbefac512aa1a6501ac2a7677e0b78718f72eaca

              SHA512

              c974626b46e35b8e48542b68855b0009381eb6099cd43fa5fc8d55a40a9988a3fb2046b480718a0ff6ffceb2f78e7941a5663df63510831c0f99557872f169ac

              Download Submit

            • memory/2848-0-0x000000007460E000-0x000000007460F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2848-1-0x0000000000340000-0x0000000000440000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2848-2-0x0000000074600000-0x0000000074CEE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2848-3-0x0000000000460000-0x0000000000478000-memory.dmp

              Filesize

              96KB

              Download

            • memory/2848-4-0x000000007460E000-0x000000007460F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2848-5-0x0000000074600000-0x0000000074CEE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2848-6-0x0000000007690000-0x0000000007754000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2848-19-0x0000000074600000-0x0000000074CEE000-memory.dmp

              Filesize

              6.9MB

              Download