Overview

overview

10

Static

static

3

c19ce82f55...8e.exe

windows7-x64

8

c19ce82f55...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c19ce82f559dc54abd192e1c6f274b0078dcce06cd648ca4e97ba24609a6758e.exe

  • Size

    23KB

  • MD5

    a97060894388dce333afe90503710c02

  • SHA1

    af7e16e99b79589f4690423f82502c5d21ed18fa

  • SHA256

    c19ce82f559dc54abd192e1c6f274b0078dcce06cd648ca4e97ba24609a6758e

  • SHA512

    459c87943790ccd5796a2fb3cd28b364adaa3735987bae962b266c926c47a7c5b82bdf28044f000dae8c353dfafc0200414a91440502f49a460a3d17654f3bc9

  • SSDEEP

    384:R5iDic/cOBkvPCq5/DYBEiiLWp0JNS/eqUMCaJFRmb50Y6MZNjihzQnHp0yVN8:2cTTS6MCyKb5/TJl8

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c19ce82f559dc54abd192e1c6f274b0078dcce06cd648ca4e97ba24609a6758e.exe
    "C:\Users\Admin\AppData\Local\Temp\c19ce82f559dc54abd192e1c6f274b0078dcce06cd648ca4e97ba24609a6758e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\qeftmuiqoe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    ce5145e62b5cd2ed42be39b6d8895ed3

    SHA1

    5ebaf2832fe907db3388056345a59d8142a3e5b1

    SHA256

    d478587a6866932688af305483fae042a68a8258aa56052578b78bcadaba66e7

    SHA512

    23452463f357053c57cc0e0d4b344696fb3eae3f829698c69c454521a3002faccecf59d7a7976ea0f441786f30efbfb93e8857c0edc7766fd427d8db18c807f6

    Download Submit

  • memory/2104-4-0x0000000002A70000-0x0000000002AB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2244-0-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-1-0x0000000001390000-0x000000000139C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2244-10-0x0000000000CE0000-0x0000000000D20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2244-11-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

    Download