647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
Size

1.0MB
MD5

42d94499e951bca482a4b665e92cd535
SHA1

30d8b531e933655c1a36656ed0603e37114c27a2
SHA256

647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2
SHA512

1517f4963492b4d86d78d40ddcff2231dc787799b7f06b317afc466c8cae26e3be3a99537be826a347d33105217ea2ad870a53aea195f1158f1b7a173bbb1ccf
SSDEEP

24576:VxEqP43IQNOsv+lM/ItbktBuwrs89e+52iR:VxXPiIQNULoXJrs6e+8iR

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
2596	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
2596	powershell.exe
2432	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2432	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	31
PID 2964 wrote to memory of 2432	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	31
PID 2964 wrote to memory of 2432	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	31
PID 2964 wrote to memory of 2432	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	31
PID 2964 wrote to memory of 2596	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	33
PID 2964 wrote to memory of 2596	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	33
PID 2964 wrote to memory of 2596	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	33
PID 2964 wrote to memory of 2596	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	33
PID 2964 wrote to memory of 2840	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	34
PID 2964 wrote to memory of 2840	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	34
PID 2964 wrote to memory of 2840	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	34
PID 2964 wrote to memory of 2840	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	34
PID 2964 wrote to memory of 2228	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	37
PID 2964 wrote to memory of 2228	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	37
PID 2964 wrote to memory of 2228	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	37
PID 2964 wrote to memory of 2228	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	37
PID 2964 wrote to memory of 2732	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	38
PID 2964 wrote to memory of 2732	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	38
PID 2964 wrote to memory of 2732	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	38
PID 2964 wrote to memory of 2732	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	38
PID 2964 wrote to memory of 2976	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	39
PID 2964 wrote to memory of 2976	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	39
PID 2964 wrote to memory of 2976	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	39
PID 2964 wrote to memory of 2976	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	39
PID 2964 wrote to memory of 3008	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	40
PID 2964 wrote to memory of 3008	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	40
PID 2964 wrote to memory of 3008	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	40
PID 2964 wrote to memory of 3008	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	40
PID 2964 wrote to memory of 644	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	41
PID 2964 wrote to memory of 644	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	41
PID 2964 wrote to memory of 644	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	41
PID 2964 wrote to memory of 644	2964	647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe	41

C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
"C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rgNlwEBp.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rgNlwEBp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB71.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
  "C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
  "C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
  "C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
  "C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe
  "C:\Users\Admin\AppData\Local\Temp\647b4007083ce47cbd208a9aa9b32891e2d910a3c367494760c241bfc068c3e2.exe"
  2⤵
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDB71.tmp

Filesize
1KB

MD5
f6d41382fad5e737a1857fcbf563443f

SHA1
ab6993da0953cd082d06343ace678bd7c7ec9160

SHA256
9239f6587bc69b6948f57933e69298bd4e81f1668c69d236b4461c2be2a4d0eb

SHA512
6f2df3db4fa7eb8495a66628589da73e463e6167c58f2f618acdeda95083d8dceacd59bcf7c46a42a6873ad1209bc2f31317ce9f4a3d215e883b17b32ec5d893

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZTHHKHQ8ASQXMILHSQ6U.temp

Filesize
7KB

MD5
f4f419b12e348a3825a4cac24de60ce3

SHA1
ee30ed92cca680c42d30895d4f0ecc5a9020fb1f

SHA256
f5e75ab03f56d916b9a5fc7fff189bdecd728e1c385d4488d48df070be2c6b6b

SHA512
8e6f94ac73b91358451a5276839a154c1939356927a329520726a9cdcced07528b59636a9365619df37dfbb68448d98e7b701219df1ffdc4eaf3b5b8e1673285

Download Submit
memory/2964-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/2964-1-0x0000000000370000-0x0000000000476000-memory.dmp

Filesize
1.0MB

Download
memory/2964-2-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-3-0x0000000000480000-0x0000000000498000-memory.dmp

Filesize
96KB

Download
memory/2964-4-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/2964-5-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-6-0x00000000052C0000-0x0000000005384000-memory.dmp

Filesize
784KB

Download
memory/2964-19-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download