Overview

overview

8

Static

static

3

5dce69c450...d7.exe

windows7-x64

8

5dce69c450...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dce69c450262d7a5d48cdc8fccad2d7.exe

  • Size

    121KB

  • MD5

    5dce69c450262d7a5d48cdc8fccad2d7

  • SHA1

    11cd8fa07e2314287099aaf4fbedb5dcc1fcf62a

  • SHA256

    246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823

  • SHA512

    7f5c2f5e6a02990adf6d638a8368f07a2f949dfedd7197e342c7467cc0ff4af5480ba2585060986f65e3f62efcdb80c037b89815db095326890269ef31db836a

  • SSDEEP

    3072:MV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPJR:ht5hBPi0BW69hd1MMdxPe9N9uA069TBb

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dce69c450262d7a5d48cdc8fccad2d7.exe
    "C:\Users\Admin\AppData\Local\Temp\5dce69c450262d7a5d48cdc8fccad2d7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E8AA.tmp\E8AB.tmp\E8AC.bat C:\Users\Admin\AppData\Local\Temp\5dce69c450262d7a5d48cdc8fccad2d7.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:1516
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Add-MpPreference -ExclusionExtension '.exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2008
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Add-MpPreference -ExclusionExtension '.bat'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2936
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Victalis\Links'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2912
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\E8AA.tmp\E8AB.tmp\E8AC.bat
      Filesize

      1KB

      MD5

      793c56b68060857e19833f659215179a

      SHA1

      2daea30fdb072ed77572ef5255095f649441c467

      SHA256

      974c3b25c20b04c6c9c64e63c133b3263f275533bac599f56a4f60519f233716

      SHA512

      508c792fbbe2207d008cebd370c96d223e3cef3cbd5e7a89e4bcfaf94b3d94772b1f4729291a7ae99e473304e7bd175fc549eb4891f4eedd78740ab982b72aea

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      d52663713cebbc14f8e1efbf70d7339e

      SHA1

      29ef1d57e513940474510cb3bb490942d1e37b79

      SHA256

      9f97e8deb8f9204f46e4c4dc45ac52d0c498a189ae2fb53cfa11ab18ced0cb9c

      SHA512

      408bda004512d5e10964176cb0cb8558da1b97eae19d02a278573937c52fe2366afafc721f0ce7ccdbe6d4331fd8f5622be87897faa6b4c4e7c3d9fb9fa4db9c

      Download Submit

    • memory/2008-11-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-9-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-10-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-8-0x0000000002460000-0x0000000002468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2008-12-0x000000000277B000-0x00000000027E2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2008-13-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-14-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-7-0x000000001B250000-0x000000001B532000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2008-6-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2936-20-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2936-21-0x0000000001E50000-0x0000000001E58000-memory.dmp

      Filesize

      32KB

      Download