Overview

overview

10

Static

static

3

JaffaCakes...eb.exe

windows7-x64

10

JaffaCakes...eb.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

$TEMP/qT5w...NB.exe

windows7-x64

10

$TEMP/qT5w...NB.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/Selfconvened.exe

  • Size

    4.5MB

  • MD5

    64b5e984fda860eedf19c29a124094fb

  • SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

  • SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

  • SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

  • SSDEEP

    98304:xLIWL25lsofrCgl5PmHGjCYv8LHPrVWPa5Qwy:Fslsofuit0bJWPa5QJ

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\Selfconvened.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\cmd.exe
      "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2596
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {05AF100B-53C6-482D-806C-C4E39819A105} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ab8b73e973cbba494afa9998ea2d23a9

    SHA1

    f541e7ab70b98bcd4c4d0fc5aba3212518f5deb0

    SHA256

    54b62b5953cc2df58041081b1823744441904936450de862025a52583b1a41f4

    SHA512

    4aff13d6a908d3d22539502fff118102cd26d7be1a53743b6ee852114188cb9999d2d866d80f8a4a76df2b87c9ece04b67d641c083072d74c2e45f9582ad4109

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.9MB

    MD5

    7a7c8cf73bb6562c36faaa8ad49bdbc5

    SHA1

    3d1d849d7c7236af1159cf7d26d89c1953829e1f

    SHA256

    af3e4ef5e47b509d7d6b542ebaf520d4909fad7c86627deefa4934dfd3c0ded3

    SHA512

    7b4503c46d8137fc3fcd6bded9affb165a68b180ca0668ddde984f8b306159bf9c61252a2dc2f057f72047597129f232bec358863e47d544380b7bb5605d6698

    Download Submit

  • memory/1132-34-0x0000000000E40000-0x00000000012BA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1652-21-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1652-20-0x000000001B200000-0x000000001B4E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1668-10-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1668-4-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1668-7-0x000000001BFA0000-0x000000001C348000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1668-8-0x00000000210D0000-0x0000000021374000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1668-9-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1668-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1668-5-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1668-6-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1668-3-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1668-2-0x000000001C460000-0x000000001C818000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1668-1-0x00000000011F0000-0x000000000166A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1668-29-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2008-28-0x0000000002050000-0x0000000002058000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2008-27-0x000000001B230000-0x000000001B512000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2416-36-0x0000000000FF0000-0x000000000146A000-memory.dmp

    Filesize

    4.5MB

    Download