Overview

overview

10

Static

static

3

JaffaCakes...57.exe

windows7-x64

10

JaffaCakes...57.exe

windows10-2004-x64

10

$TEMP/K3M6...22.exe

windows7-x64

10

$TEMP/K3M6...22.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/Selfconvened.exe

  • Size

    4.5MB

  • MD5

    64b5e984fda860eedf19c29a124094fb

  • SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

  • SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

  • SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

  • SSDEEP

    98304:xLIWL25lsofrCgl5PmHGjCYv8LHPrVWPa5Qwy:Fslsofuit0bJWPa5QJ

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\system32\cmd.exe
      "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2136
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1388
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2184
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B53CE9A1-A763-4E49-804E-7280C2002443} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2176
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    37627b46d7b7011ae982e756f467012c

    SHA1

    b6fa4500e59483379b59119d04d558d7443c29d6

    SHA256

    d6f3e123fa17755231878803a9c20309dfaf6ddab3886b56317614af3f1cff9f

    SHA512

    01401a7aeda2b4dd6c449e9520a31dc3b7151f8494adf5dd57642ec5810afd612fc840d358610537f98c8e344431e95a3403d677a12ba80e4e60b944c5c640be

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.6MB

    MD5

    b0504bad3a175be5267a7ee70e5e1262

    SHA1

    cbb00488bcdb43d526a416a56df12de5bd891218

    SHA256

    030742e8d20a89db614908d35d75a3a40f313d207ae58dbc97d280c8013d0294

    SHA512

    2b6b0713a04e5cac1c52c56a763a196797b0cd48f07834dd72d48b96467a5df199e878505f9793fa1aa58e946a02054409754b59db677bd9002d8bc0fb73bd68

    Download Submit

  • memory/1388-29-0x0000000002680000-0x0000000002688000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1388-28-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1640-5-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1640-1-0x0000000000BE0000-0x000000000105A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1640-6-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-7-0x00000000211C0000-0x0000000021568000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1640-8-0x0000000021570000-0x0000000021814000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1640-9-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-10-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-11-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-30-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1640-4-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-3-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1640-2-0x000000001C5C0000-0x000000001C978000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1928-37-0x00000000009D0000-0x0000000000E4A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2136-21-0x00000000022A0000-0x00000000022A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2136-20-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2176-35-0x0000000000210000-0x000000000068A000-memory.dmp

    Filesize

    4.5MB

    Download