932a9d7b2aaf4bf741ab52af310f53c9d6af40caaecbf3edf0ebf2b1c05c296a

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JfsmpBIQ1LgMUAk.exe
Size

927KB
MD5

652d25f38f4ed183acf9b013cb2a2275
SHA1

7c8860477a60b6332f2bc71a585e9886dac153f6
SHA256

39631d4807643ffd35ec654d308f01a920fef38ba977d94969cbd6bdeb81b607
SHA512

d92c7cd916f0c429370e7bcfaa6fb373268083de2190081971bb9b95f6bf6efea402d54ea9a3d2419d570dc1b02ab2129387c906c428aba44ec245bffc6d970b
SSDEEP

12288:S54f2Vu4HSyBykosI4DS1zAfm+c238ZF4DyzpUpMTgyQEbMPku+l0CPP:m447yr4izAfo2MH4DyzpKzvVPd+p

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
2544	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JfsmpBIQ1LgMUAk.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2688	JfsmpBIQ1LgMUAk.exe
2544	powershell.exe
2440	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	JfsmpBIQ1LgMUAk.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2544	2688	JfsmpBIQ1LgMUAk.exe	30
PID 2688 wrote to memory of 2544	2688	JfsmpBIQ1LgMUAk.exe	30
PID 2688 wrote to memory of 2544	2688	JfsmpBIQ1LgMUAk.exe	30
PID 2688 wrote to memory of 2544	2688	JfsmpBIQ1LgMUAk.exe	30
PID 2688 wrote to memory of 2440	2688	JfsmpBIQ1LgMUAk.exe	32
PID 2688 wrote to memory of 2440	2688	JfsmpBIQ1LgMUAk.exe	32
PID 2688 wrote to memory of 2440	2688	JfsmpBIQ1LgMUAk.exe	32
PID 2688 wrote to memory of 2440	2688	JfsmpBIQ1LgMUAk.exe	32
PID 2688 wrote to memory of 2776	2688	JfsmpBIQ1LgMUAk.exe	33
PID 2688 wrote to memory of 2776	2688	JfsmpBIQ1LgMUAk.exe	33
PID 2688 wrote to memory of 2776	2688	JfsmpBIQ1LgMUAk.exe	33
PID 2688 wrote to memory of 2776	2688	JfsmpBIQ1LgMUAk.exe	33
PID 2688 wrote to memory of 2524	2688	JfsmpBIQ1LgMUAk.exe	36
PID 2688 wrote to memory of 2524	2688	JfsmpBIQ1LgMUAk.exe	36
PID 2688 wrote to memory of 2524	2688	JfsmpBIQ1LgMUAk.exe	36
PID 2688 wrote to memory of 2524	2688	JfsmpBIQ1LgMUAk.exe	36
PID 2688 wrote to memory of 1744	2688	JfsmpBIQ1LgMUAk.exe	37
PID 2688 wrote to memory of 1744	2688	JfsmpBIQ1LgMUAk.exe	37
PID 2688 wrote to memory of 1744	2688	JfsmpBIQ1LgMUAk.exe	37
PID 2688 wrote to memory of 1744	2688	JfsmpBIQ1LgMUAk.exe	37
PID 2688 wrote to memory of 1232	2688	JfsmpBIQ1LgMUAk.exe	38
PID 2688 wrote to memory of 1232	2688	JfsmpBIQ1LgMUAk.exe	38
PID 2688 wrote to memory of 1232	2688	JfsmpBIQ1LgMUAk.exe	38
PID 2688 wrote to memory of 1232	2688	JfsmpBIQ1LgMUAk.exe	38
PID 2688 wrote to memory of 2496	2688	JfsmpBIQ1LgMUAk.exe	39
PID 2688 wrote to memory of 2496	2688	JfsmpBIQ1LgMUAk.exe	39
PID 2688 wrote to memory of 2496	2688	JfsmpBIQ1LgMUAk.exe	39
PID 2688 wrote to memory of 2496	2688	JfsmpBIQ1LgMUAk.exe	39
PID 2688 wrote to memory of 2684	2688	JfsmpBIQ1LgMUAk.exe	40
PID 2688 wrote to memory of 2684	2688	JfsmpBIQ1LgMUAk.exe	40
PID 2688 wrote to memory of 2684	2688	JfsmpBIQ1LgMUAk.exe	40
PID 2688 wrote to memory of 2684	2688	JfsmpBIQ1LgMUAk.exe	40

C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe
"C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ikqjdSvJltAjUw.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ikqjdSvJltAjUw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe
  "C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe
  "C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe
  "C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe
  "C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe
  "C:\Users\Admin\AppData\Local\Temp\JfsmpBIQ1LgMUAk.exe"
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp

Filesize
1KB

MD5
d83f16eb7e56177c16fc7d19b3da000d

SHA1
9f1e725c2d435aec8610a1143499d6498ad702de

SHA256
66eeedb17e1f89fa18c706172747545e3cbf8ef389de0f791c894ad2800f81f3

SHA512
8e119426f20bd1e41f780d601dfdc891adcdd945180855e18b66052fd4ee1fe58031b17551db28de1280084c8429914329f724bd42c77b7c5b8e313d76f54b13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f08d6708d09fd217bcee093961b1c0f8

SHA1
ac0accfaff17590bd7fc113cb4ec5b831d2e24f0

SHA256
34361b3e52dc1009e46387ce5ec4354649a9beb9102eaca8f74968064b39b495

SHA512
93ace0c5f8b1086c074d506b9daf5630d1c42168de7d97d724f5bfa6b630a7b8b1250ccc93b37ea95db43325cbf904debdfef02e2ec4e5e5698c33fd362e93f8

Download Submit
memory/2688-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/2688-1-0x00000000003D0000-0x00000000004BE000-memory.dmp

Filesize
952KB

Download
memory/2688-2-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-3-0x00000000005A0000-0x00000000005C6000-memory.dmp

Filesize
152KB

Download
memory/2688-4-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/2688-5-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-6-0x00000000004C0000-0x0000000000548000-memory.dmp

Filesize
544KB

Download
memory/2688-19-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download