cc5eb5ac7cb599572a1c9747efa83774221e0ad4a24ed6545d5bc03a44a23196

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eXbhgU9.exe
Size

15KB
MD5

9be5ac720dcf1838fd5a2d7352672f66
SHA1

d8046191a1d1756768a8bad62ce3ba757deb7d53
SHA256

cc5eb5ac7cb599572a1c9747efa83774221e0ad4a24ed6545d5bc03a44a23196
SHA512

72f618868c9960332931d7055a4bff5b3394979a1f5d8089d51c6dc436a121a3d9332d405a3eb3f65fcb8c5930c73606e194782fcf29b46d5e42235de29acc33
SSDEEP

384:8dGRmTbW+eO9GXSrtx2MUyQ6JCgf61FDOVV:QzGXaff61FDO7

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe
2664	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eXbhgU9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	powershell.exe
2664	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	328	eXbhgU9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2144	328	eXbhgU9.exe	31
PID 328 wrote to memory of 2144	328	eXbhgU9.exe	31
PID 328 wrote to memory of 2144	328	eXbhgU9.exe	31
PID 328 wrote to memory of 2144	328	eXbhgU9.exe	31
PID 328 wrote to memory of 2664	328	eXbhgU9.exe	33
PID 328 wrote to memory of 2664	328	eXbhgU9.exe	33
PID 328 wrote to memory of 2664	328	eXbhgU9.exe	33
PID 328 wrote to memory of 2664	328	eXbhgU9.exe	33

C:\Users\Admin\AppData\Local\Temp\eXbhgU9.exe
"C:\Users\Admin\AppData\Local\Temp\eXbhgU9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\wABOUNvsUh'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3180a46518a2cb4906742b5ac03d5cd3

SHA1
aa21867f95389f361164bd8f24810a894d2556f3

SHA256
1c40c205fda819b3f60fc77b282c704d688765d203a6a5c1db5a28bd23ed8b67

SHA512
6d983203c98520ff11461842fde1e244527500e4d447821bf289c2da5786267781ce06b41014d04b50926bd4064071f6e972d518401e6dc6e77494cb2827c055

Download Submit
memory/328-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/328-1-0x0000000001270000-0x000000000127A000-memory.dmp

Filesize
40KB

Download
memory/328-15-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/2144-4-0x0000000070D91000-0x0000000070D92000-memory.dmp

Filesize
4KB

Download
memory/2144-6-0x0000000070D90000-0x000000007133B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-5-0x0000000070D90000-0x000000007133B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-7-0x0000000070D90000-0x000000007133B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-8-0x0000000070D90000-0x000000007133B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-9-0x0000000070D90000-0x000000007133B000-memory.dmp

Filesize
5.7MB

Download