9f2b06a5d492309cf77d733de90f608137768aa23391fc124342800ba0227d85

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FOR 817 4429601.exe
Size

851KB
MD5

cbcac7423afa2b0dc72712763a4e1eb3
SHA1

39f3a89371412b93e4cdb7df7212c0290e4bfd22
SHA256

e085c2b585c5a43e93001485c6ec2fe56e9cd8b7b509f971ff0072c7f1a1a99e
SHA512

9456ff5bf3ca861644232b43dc5afba6ac853a73bd9ba2d2257c0c333992dbfeca3ac8268ff8bb2d4d8265f9bd3665fd2bf6ef46c3b95b0b1edd74ecee4972eb
SSDEEP

12288:KKOlbxrh0IO8DfymhIB5HPAw0nhAaoKF0l2XqbVRr+QHZjcXUpS8tJP:O/fymm5H4w0XF0lyqXtjuUpS8

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2752	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FOR 817 4429601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2436	FOR 817 4429601.exe
2804	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	FOR 817 4429601.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2804	2436	FOR 817 4429601.exe	31
PID 2436 wrote to memory of 2804	2436	FOR 817 4429601.exe	31
PID 2436 wrote to memory of 2804	2436	FOR 817 4429601.exe	31
PID 2436 wrote to memory of 2804	2436	FOR 817 4429601.exe	31
PID 2436 wrote to memory of 2752	2436	FOR 817 4429601.exe	33
PID 2436 wrote to memory of 2752	2436	FOR 817 4429601.exe	33
PID 2436 wrote to memory of 2752	2436	FOR 817 4429601.exe	33
PID 2436 wrote to memory of 2752	2436	FOR 817 4429601.exe	33
PID 2436 wrote to memory of 2604	2436	FOR 817 4429601.exe	35
PID 2436 wrote to memory of 2604	2436	FOR 817 4429601.exe	35
PID 2436 wrote to memory of 2604	2436	FOR 817 4429601.exe	35
PID 2436 wrote to memory of 2604	2436	FOR 817 4429601.exe	35
PID 2436 wrote to memory of 2832	2436	FOR 817 4429601.exe	37
PID 2436 wrote to memory of 2832	2436	FOR 817 4429601.exe	37
PID 2436 wrote to memory of 2832	2436	FOR 817 4429601.exe	37
PID 2436 wrote to memory of 2832	2436	FOR 817 4429601.exe	37
PID 2436 wrote to memory of 2600	2436	FOR 817 4429601.exe	38
PID 2436 wrote to memory of 2600	2436	FOR 817 4429601.exe	38
PID 2436 wrote to memory of 2600	2436	FOR 817 4429601.exe	38
PID 2436 wrote to memory of 2600	2436	FOR 817 4429601.exe	38
PID 2436 wrote to memory of 2608	2436	FOR 817 4429601.exe	39
PID 2436 wrote to memory of 2608	2436	FOR 817 4429601.exe	39
PID 2436 wrote to memory of 2608	2436	FOR 817 4429601.exe	39
PID 2436 wrote to memory of 2608	2436	FOR 817 4429601.exe	39
PID 2436 wrote to memory of 2616	2436	FOR 817 4429601.exe	40
PID 2436 wrote to memory of 2616	2436	FOR 817 4429601.exe	40
PID 2436 wrote to memory of 2616	2436	FOR 817 4429601.exe	40
PID 2436 wrote to memory of 2616	2436	FOR 817 4429601.exe	40
PID 2436 wrote to memory of 2644	2436	FOR 817 4429601.exe	41
PID 2436 wrote to memory of 2644	2436	FOR 817 4429601.exe	41
PID 2436 wrote to memory of 2644	2436	FOR 817 4429601.exe	41
PID 2436 wrote to memory of 2644	2436	FOR 817 4429601.exe	41

C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe
"C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jjQPSpXjfwt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jjQPSpXjfwt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCB6.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe
  "C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe
  "C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
  2⤵
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe
  "C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe
  "C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe
  "C:\Users\Admin\AppData\Local\Temp\FOR 817 4429601.exe"
  2⤵
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFCB6.tmp

Filesize
1KB

MD5
fceae10e4b514fbb067c0162d3bc77dd

SHA1
544546e4612e482fe6365322f6357938131d9a88

SHA256
2e2206bcf234fb47e71bbf375da293f40076efae282bd65953834b87398e6b84

SHA512
5ff0790632d5488f5d660fc431a9c24d300b146d3fddf63928ff243d61bb9698a9d4448b96306a111a9d701c8564b3e7988ca31f80f0e735133d9ba1be81e948

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3VZWD8KFGJRIXIASFB97.temp

Filesize
7KB

MD5
ed4802fab6659d16f1cfd1266eedd523

SHA1
c794b3ee81c039ae73d64a1504aaae59b464b5e4

SHA256
ae2792cde3318e8a20d9907e4e694a69d740ff995477cf3d97482ee9b7ce8520

SHA512
f3bf557d16305941e8949b6ec1537d5e232ad16aef5610b8bcd4441215df94be4459d65db6f061b389d760773e7d928d6ae5db16d7abe7bb780d69899906f759

Download Submit
memory/2436-0-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000000390000-0x000000000046A000-memory.dmp

Filesize
872KB

Download
memory/2436-2-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-3-0x0000000000330000-0x0000000000356000-memory.dmp

Filesize
152KB

Download
memory/2436-4-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2436-5-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-6-0x0000000000570000-0x00000000005F8000-memory.dmp

Filesize
544KB

Download
memory/2436-19-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download