9097140491dca61a92e42fea7cc9b04a6fcb5854d4c678381a5fc4f7426e3a17

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheckDevices3.exe
Size

11KB
MD5

13c01e851815420a4ff0891208918dbf
SHA1

df6d7550f4fe60853609f1facec9255af9721a88
SHA256

9097140491dca61a92e42fea7cc9b04a6fcb5854d4c678381a5fc4f7426e3a17
SHA512

0d401005fcd5f4d066c734eacd5a1f891a5b91b6a21f7e176667f0829797ab204f95aeecec9f37836f8712dda28c13720b0cf8ab3a1c3f8e8e5966f3622ce2d2
SSDEEP

192:bqqTSm4ENSn3fbfo5iX2KVFfcTkbS8cvD+3Hp3lTVJneqqpO0:L34ENSn3fbfo53KPcIbS1vS3J3NVIqqQ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
1908	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckDevices3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2500	CheckDevices3.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1908	2500	CheckDevices3.exe	31
PID 2500 wrote to memory of 1908	2500	CheckDevices3.exe	31
PID 2500 wrote to memory of 1908	2500	CheckDevices3.exe	31
PID 2500 wrote to memory of 1908	2500	CheckDevices3.exe	31
PID 2500 wrote to memory of 2872	2500	CheckDevices3.exe	34
PID 2500 wrote to memory of 2872	2500	CheckDevices3.exe	34
PID 2500 wrote to memory of 2872	2500	CheckDevices3.exe	34
PID 2500 wrote to memory of 2872	2500	CheckDevices3.exe	34

C:\Users\Admin\AppData\Local\Temp\CheckDevices3.exe
"C:\Users\Admin\AppData\Local\Temp\CheckDevices3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
678d65fbcbd3d58b5e5568610c0c93e4

SHA1
34e6fa92a3f7b761c9018d33fc8c434f73a23a4d

SHA256
6e8d64be5bfe632aba0b0098eecbe843678db963e9d5e3669f1a53acf34f7543

SHA512
de9681f0e63bf42798d05f641f5b862dd53c8f8c2f73adb0972b12b5f3073475a30e577adedaf3e73180aad7a51d50911041f3f9641e28c62ad146e8ea7bfd50

Download Submit
memory/1908-5-0x000000006FCF1000-0x000000006FCF2000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-7-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-8-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-9-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-10-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download
memory/2500-2-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-11-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2500-17-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download