Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:18
General
-
Target
ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30.exe
-
Size
545KB
-
MD5
c6d7786cb9e334f730ba4fb984b43bf0
-
SHA1
f67a77aaea6bfc19766500c2100b2aa3d449c328
-
SHA256
ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30
-
SHA512
a536128a1ed94efb3e864769a70f0e4786a97c15aab9f8eae431066d783a3e58453fe0bb0cf5bb52586d2a0d2034005771e286d57bd92b5866077d9e26f9d4a6
-
SSDEEP
12288:PKx6YNxBRA0L1jKwXmsykcJlKRrbW4r2GNnqOs/fKSd/XNKN5A+:E6ERA0Low2TkKlmbW4lNnq7/V85
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30.exe"C:\Users\Admin\AppData\Local\Temp\ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {EB2F1A00-5B9E-4E84-A92F-F45D90E4A5A6} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQBjAGMAZQBzAHMAQwBvAG4AdAByAG8AbABUAHkAcABlAC4AZQB4AGUAOwA=2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQBjAGMAZQBzAHMAQwBvAG4AdAByAG8AbABUAHkAcABlAC4AZQB4AGUAOwA=2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {766BC5FE-9C3C-4A0F-AB4E-2D264B8C9E4F} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\LCID\tjnduz\AccessControlType.exeC:\Users\Admin\AppData\Local\LCID\tjnduz\AccessControlType.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD5c6d7786cb9e334f730ba4fb984b43bf0
SHA1f67a77aaea6bfc19766500c2100b2aa3d449c328
SHA256ef1a8eac84dd9ea2c994351a14b9c6811260e765cb992411c3e4ace9ce289b30
SHA512a536128a1ed94efb3e864769a70f0e4786a97c15aab9f8eae431066d783a3e58453fe0bb0cf5bb52586d2a0d2034005771e286d57bd92b5866077d9e26f9d4a6
-
Filesize
7KB
MD555e7f1ab0fe40ef1f2da787090417cf4
SHA1f9f5d9e63658f0cbad7776057ab4c44c1b2f2e31
SHA2568500418e229873a1bf259aa143b2ec432af59c7d8323e4bbc02f9b03122d986a
SHA51200509aa3b8f6521686942394e37d29a51a4b8ef01d334287eccafe066575bca6d1642da1070ea80f5f81473a597c0a6e3ec51f3350a4c9c7ab86eb5e908ed870
-
Filesize
7KB
MD5443fb64576980dc27169e238a0b4d526
SHA17c603108ebbd5a8a5812e4e073ac2a7b82619c10
SHA25686c894d474e4cc1801dd5495642b25d93c38d4f40424a1e34e48c7861fd3b569
SHA512583501d16dd202db345dd11e211357b75314568533b830909470df113c325e15356ca518b4e4021fcb4450afd1e4c7ed976f0803df7a368661f94476fb6312be
-
Filesize
560KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
800KB
-
Filesize
9.9MB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
560KB
-
Filesize
4KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
304KB
-
Filesize
344KB
-
Filesize
336KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB