8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10ab4b6fb83aea3840ac04855974f62d.exe
Size

959KB
MD5

10ab4b6fb83aea3840ac04855974f62d
SHA1

c41572120bb8f298d4a8683321e7a3b1cc7c54da
SHA256

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301
SHA512

d414499348356d4028c97718126dbc51aa240a63b70f3236d73003821910735bcef0761da0a873b55abfb18b71820fcd6bf4e58bac98109274c477cc68633d94
SSDEEP

24576:TuWl35eXIVicKGaiT+zuOiNPjdbdpcg4qCYi:BnXicKE6zuOiNPjdZ4qCYi

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
2808	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10ab4b6fb83aea3840ac04855974f62d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
1488	10ab4b6fb83aea3840ac04855974f62d.exe
2276	powershell.exe
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	10ab4b6fb83aea3840ac04855974f62d.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2276	1488	10ab4b6fb83aea3840ac04855974f62d.exe	31
PID 1488 wrote to memory of 2276	1488	10ab4b6fb83aea3840ac04855974f62d.exe	31
PID 1488 wrote to memory of 2276	1488	10ab4b6fb83aea3840ac04855974f62d.exe	31
PID 1488 wrote to memory of 2276	1488	10ab4b6fb83aea3840ac04855974f62d.exe	31
PID 1488 wrote to memory of 2808	1488	10ab4b6fb83aea3840ac04855974f62d.exe	33
PID 1488 wrote to memory of 2808	1488	10ab4b6fb83aea3840ac04855974f62d.exe	33
PID 1488 wrote to memory of 2808	1488	10ab4b6fb83aea3840ac04855974f62d.exe	33
PID 1488 wrote to memory of 2808	1488	10ab4b6fb83aea3840ac04855974f62d.exe	33
PID 1488 wrote to memory of 2956	1488	10ab4b6fb83aea3840ac04855974f62d.exe	35
PID 1488 wrote to memory of 2956	1488	10ab4b6fb83aea3840ac04855974f62d.exe	35
PID 1488 wrote to memory of 2956	1488	10ab4b6fb83aea3840ac04855974f62d.exe	35
PID 1488 wrote to memory of 2956	1488	10ab4b6fb83aea3840ac04855974f62d.exe	35
PID 1488 wrote to memory of 2656	1488	10ab4b6fb83aea3840ac04855974f62d.exe	37
PID 1488 wrote to memory of 2656	1488	10ab4b6fb83aea3840ac04855974f62d.exe	37
PID 1488 wrote to memory of 2656	1488	10ab4b6fb83aea3840ac04855974f62d.exe	37
PID 1488 wrote to memory of 2656	1488	10ab4b6fb83aea3840ac04855974f62d.exe	37
PID 1488 wrote to memory of 2820	1488	10ab4b6fb83aea3840ac04855974f62d.exe	38
PID 1488 wrote to memory of 2820	1488	10ab4b6fb83aea3840ac04855974f62d.exe	38
PID 1488 wrote to memory of 2820	1488	10ab4b6fb83aea3840ac04855974f62d.exe	38
PID 1488 wrote to memory of 2820	1488	10ab4b6fb83aea3840ac04855974f62d.exe	38
PID 1488 wrote to memory of 2544	1488	10ab4b6fb83aea3840ac04855974f62d.exe	39
PID 1488 wrote to memory of 2544	1488	10ab4b6fb83aea3840ac04855974f62d.exe	39
PID 1488 wrote to memory of 2544	1488	10ab4b6fb83aea3840ac04855974f62d.exe	39
PID 1488 wrote to memory of 2544	1488	10ab4b6fb83aea3840ac04855974f62d.exe	39
PID 1488 wrote to memory of 2540	1488	10ab4b6fb83aea3840ac04855974f62d.exe	40
PID 1488 wrote to memory of 2540	1488	10ab4b6fb83aea3840ac04855974f62d.exe	40
PID 1488 wrote to memory of 2540	1488	10ab4b6fb83aea3840ac04855974f62d.exe	40
PID 1488 wrote to memory of 2540	1488	10ab4b6fb83aea3840ac04855974f62d.exe	40
PID 1488 wrote to memory of 2560	1488	10ab4b6fb83aea3840ac04855974f62d.exe	41
PID 1488 wrote to memory of 2560	1488	10ab4b6fb83aea3840ac04855974f62d.exe	41
PID 1488 wrote to memory of 2560	1488	10ab4b6fb83aea3840ac04855974f62d.exe	41
PID 1488 wrote to memory of 2560	1488	10ab4b6fb83aea3840ac04855974f62d.exe	41

C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe
"C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\myTuDsvNcebev.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe
  "C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe
  "C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe
  "C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe
  "C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe
  "C:\Users\Admin\AppData\Local\Temp\10ab4b6fb83aea3840ac04855974f62d.exe"
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp

Filesize
1KB

MD5
c3a89617c7d1ea25f09c8605c9734728

SHA1
5cbd4fd6fc730a533afc6843b4cf412223223130

SHA256
ef30b6c1656c85262ffd599d4be11360fd754db97df98398441040040e094367

SHA512
721e429cc0c776ffd94754150678b305ab9c73d1844f013aa4491ce158970ec2c2022e49d0dd910570efd2cd243fd42f660d0698e6706d95b6b19e1b6f0f4966

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8fd4f8f3fd388cd15b8a11a97216a94f

SHA1
ce1da8a1f31df872b53172f5d0326bcaf2fe316f

SHA256
19951c0169cbf2cc89880461319a1fef82adfdeb38d3170807728585e0aafd39

SHA512
8c96bff13647159e6466df99afa1f0ecf19ca93fd77ea7f895816233b6123577a85c14ad56a872048f52e147328b147cf509142a6ae9c909a908045cdd384e26

Download Submit
memory/1488-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/1488-1-0x0000000000330000-0x0000000000422000-memory.dmp

Filesize
968KB

Download
memory/1488-2-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1488-3-0x00000000008D0000-0x00000000008EC000-memory.dmp

Filesize
112KB

Download
memory/1488-4-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/1488-5-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1488-6-0x0000000005620000-0x00000000056E0000-memory.dmp

Filesize
768KB

Download
memory/1488-19-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download