Overview

overview

10

Static

static

3

S0FTWARE.exe

windows7-x64

8

S0FTWARE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2025 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S0FTWARE.exe

  • Size

    232KB

  • MD5

    fbd1b32c4c62e90e0cf1645f88eed890

  • SHA1

    358075963f0c935cdb7eeeec1bd7a49569d880f2

  • SHA256

    d0055eec7bf7cc140098e2a37cca3a3ee9c374326279c5ba6e8f4bd9ae3dcd75

  • SHA512

    a44135fd7de05db9e3e2c3bfa94c0144a60c33cbfdba0e20632384feb9cbe05469d5f8b499146f98af4a76a8b070b9db441309746e34ed4b351cd7c586bfa70b

  • SSDEEP

    3072:2A4WSt2GdSB+vsoFJL4BBcZIdEt/UvDmeNNMbXdOolXFVf5nSj1VrHsMdJ9MQ8m:A2Gde+vsoFJL4BSWdEt/K6eNw51rn02

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe
    "C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:2376
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:2064
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:2396
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:3060
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:2536
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:2352
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  2⤵
                    PID:2460
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:2264
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      2⤵
                        PID:2276
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c cls
                        2⤵
                          PID:2484
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c cls
                          2⤵
                            PID:2720
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c cls
                            2⤵
                              PID:2136
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c cls
                              2⤵
                                PID:2756
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c cls
                                2⤵
                                  PID:2760
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c cls
                                  2⤵
                                    PID:2812
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c cls
                                    2⤵
                                      PID:2816
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c cls
                                      2⤵
                                        PID:2836
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cls
                                        2⤵
                                          PID:2860
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\LJHGA'"
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2192
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\LJHGA'"
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2764
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2844
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2996
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
                                          2⤵
                                            PID:2612
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2608

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                          Filesize

                                          1KB

                                          MD5

                                          a266bb7dcc38a562631361bbf61dd11b

                                          SHA1

                                          3b1efd3a66ea28b16697394703a72ca340a05bd5

                                          SHA256

                                          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                          SHA512

                                          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                          Filesize

                                          242B

                                          MD5

                                          bac27b7132a8bfe6e0f207785f692d72

                                          SHA1

                                          c24d7aa2a4acaec8e22e3ec9d1ec53953a024487

                                          SHA256

                                          c2fca1d57124116fc99870c6c1049053e0fb6dd490cf53832136737273765cd7

                                          SHA512

                                          d4fe0751df4af945232479a46354a7b64cde2537c1873dc11b23372ceb44bba2f1738eecf130d4c655b9ffa200f8287cd89790c6ad3550cf08ee941c8ca1d9c2

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\CabBCBC.tmp
                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\TarBCCF.tmp
                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          Download Submit

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                          Filesize

                                          7KB

                                          MD5

                                          3f4a430eb201be910640d6195460b34d

                                          SHA1

                                          44991ecaa9d3366e86a492c81ae8c27160ea0f07

                                          SHA256

                                          787d12d47a9c2031f936c9cb854838c977ca255a122c6783a48d578e96d58e5b

                                          SHA512

                                          a865030cb7a8e1f2ed1988bf30fbc1007b78c4dca0a6367791fa3bd0ad6be8c611469d94d7149023c65e04eabb4e7fad28e97a8c815cb820d7d3e46eddd0a204

                                          Download Submit

                                        • memory/2764-4-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                          Filesize

                                          2.9MB

                                          Download

                                        • memory/2764-5-0x0000000002920000-0x0000000002928000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2996-11-0x000000001B620000-0x000000001B902000-memory.dmp

                                          Filesize

                                          2.9MB

                                          Download

                                        • memory/2996-12-0x00000000026E0000-0x00000000026E8000-memory.dmp

                                          Filesize

                                          32KB

                                          Download