666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
Size

1.3MB
MD5

9fa71bd01a54e0726de72e272bcbe6eb
SHA1

03822545415f9dc69207495898c706c0d8340807
SHA256

666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5
SHA512

32eaa6c191f077de67251af4057ee9fee6d9ea69d58ce6d6a1c6f5623ba26013152ae614d1465939f44ad9e2125caed786fa4abc821082845037a9ab1d2a27af
SSDEEP

24576:x0kpqP4E3+rAOymAfu86lJ5qKYv8aIlbRnxYUsNV/qXOlY/nZZMR:kwKcATbG8TKrOlNxqXTvMR

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4500	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4576	2676	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4208	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4396	powershell.exe
2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
4500	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
Token: SeDebugPrivilege	4500	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 4184	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	30
PID 2676 wrote to memory of 4184	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	30
PID 2676 wrote to memory of 4184	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	30
PID 2676 wrote to memory of 4184	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	30
PID 4184 wrote to memory of 4208	4184	cmd.exe	32
PID 4184 wrote to memory of 4208	4184	cmd.exe	32
PID 4184 wrote to memory of 4208	4184	cmd.exe	32
PID 4184 wrote to memory of 4208	4184	cmd.exe	32
PID 2676 wrote to memory of 4396	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	34
PID 2676 wrote to memory of 4396	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	34
PID 2676 wrote to memory of 4396	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	34
PID 2676 wrote to memory of 4396	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	34
PID 2676 wrote to memory of 4500	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	36
PID 2676 wrote to memory of 4500	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	36
PID 2676 wrote to memory of 4500	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	36
PID 2676 wrote to memory of 4500	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	36
PID 2676 wrote to memory of 4576	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	38
PID 2676 wrote to memory of 4576	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	38
PID 2676 wrote to memory of 4576	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	38
PID 2676 wrote to memory of 4576	2676	666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe	38

C:\Users\Admin\AppData\Local\Temp\666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe
"C:\Users\Admin\AppData\Local\Temp\666d91620d589b16b55f847c0c84396419461844d9ab844ad39a7df9d88c34e5.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANgA2ADYAZAA5ADEANgAyADAAZAA1ADgAOQBiADEANgBiADUANQBmADgANAA3AGMAMABjADgANAAzADkANgA0ADEAOQA0ADYAMQA4ADQANABkADkAYQBiADgANAA0AGEAZAAzADkAYQA3AGQAZgA5AGQAOAA4AGMAMwA0AGUANQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAA2ADYANgBkADkAMQA2ADIAMABkADUAOAA5AGIAMQA2AGIANQA1AGYAOAA0ADcAYwAwAGMAOAA0ADMAOQA2ADQAMQA5ADQANgAxADgANAA0AGQAOQBhAGIAOAA0ADQAYQBkADMAOQBhADcAZABmADkAZAA4ADgAYwAzADQAZQA1AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHUAcABkAGEAdABlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAdQBwAGQAYQB0AGUALgBlAHgAZQA=
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" PowerShell.exe -NoProfile -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$registryPath = 'HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; $data = '1'; reg add 'HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableBehaviorMonitoring' /t 'REG_DWORD' /d "^""$data"^"" /f"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 584
  2⤵
  - Program crash
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d3b1cfc028614e5fdfd26f5c8c277503

SHA1
88bda31b4b53590676b9920b8cc50dc7e118554e

SHA256
71e9dc619ce10b8f684d02b011af3d3e1d3318cb92ff35fb2f4aedee1a6d1998

SHA512
73e916f0376c2c940bd38bc6d59d3a8951b0a77c8a838924ce8718457914140109923cf9a7afa9694645593e75100853132b0a55e1052c53c184911b72b0b483

Download Submit
memory/2676-38-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-1-0x0000000000B50000-0x0000000000CA6000-memory.dmp

Filesize
1.3MB

Download
memory/2676-3-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-4-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-6-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-8-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-16-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-40-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-60-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-66-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-64-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-62-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-58-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-56-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-54-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-52-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-36-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-48-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-46-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-44-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-42-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-0-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

Filesize
4KB

Download
memory/2676-32-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-2-0x0000000002190000-0x000000000228C000-memory.dmp

Filesize
1008KB

Download
memory/2676-50-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-30-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-28-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-26-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-24-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-22-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-20-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-18-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-14-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-12-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-10-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-1179-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1180-0x00000000046F0000-0x000000000475C000-memory.dmp

Filesize
432KB

Download
memory/2676-1181-0x00000000022D0000-0x000000000231C000-memory.dmp

Filesize
304KB

Download
memory/2676-1182-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1183-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

Filesize
4KB

Download
memory/2676-1184-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1185-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1186-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1189-0x0000000005390000-0x00000000053E4000-memory.dmp

Filesize
336KB

Download
memory/2676-34-0x0000000002190000-0x0000000002287000-memory.dmp

Filesize
988KB

Download
memory/2676-1197-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download