df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444561befcef7bad6bb899304fb31524.exe
Size

5.6MB
MD5

444561befcef7bad6bb899304fb31524
SHA1

152d9d0b64d30dbcafed5bf728e576e384b9fd81
SHA256

945a6d17823852e7f5442b87d6282cc480ba90aa4892a0f8ed20eefaec0a0739
SHA512

37e07aa564a9b21a4e8d6299d2d359684512757a23a78b1c33669e755d3c29f8b8d9775efd0e872a03dafd7b7d28edf21c4ae2f8270f0d32f3ebfbb1c46c220c
SSDEEP

98304:F3h6d68gwIteZNiiPwVpL/fh6ImzzJoDfuBcMv+A73XA2:FR668aaELPHh6ImzD+F2

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2656	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	444561befcef7bad6bb899304fb31524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
3028	444561befcef7bad6bb899304fb31524.exe
2656	powershell.exe
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	444561befcef7bad6bb899304fb31524.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2656	3028	444561befcef7bad6bb899304fb31524.exe	30
PID 3028 wrote to memory of 2656	3028	444561befcef7bad6bb899304fb31524.exe	30
PID 3028 wrote to memory of 2656	3028	444561befcef7bad6bb899304fb31524.exe	30
PID 3028 wrote to memory of 2656	3028	444561befcef7bad6bb899304fb31524.exe	30
PID 3028 wrote to memory of 2804	3028	444561befcef7bad6bb899304fb31524.exe	32
PID 3028 wrote to memory of 2804	3028	444561befcef7bad6bb899304fb31524.exe	32
PID 3028 wrote to memory of 2804	3028	444561befcef7bad6bb899304fb31524.exe	32
PID 3028 wrote to memory of 2804	3028	444561befcef7bad6bb899304fb31524.exe	32
PID 3028 wrote to memory of 2676	3028	444561befcef7bad6bb899304fb31524.exe	33
PID 3028 wrote to memory of 2676	3028	444561befcef7bad6bb899304fb31524.exe	33
PID 3028 wrote to memory of 2676	3028	444561befcef7bad6bb899304fb31524.exe	33
PID 3028 wrote to memory of 2676	3028	444561befcef7bad6bb899304fb31524.exe	33
PID 3028 wrote to memory of 2972	3028	444561befcef7bad6bb899304fb31524.exe	36
PID 3028 wrote to memory of 2972	3028	444561befcef7bad6bb899304fb31524.exe	36
PID 3028 wrote to memory of 2972	3028	444561befcef7bad6bb899304fb31524.exe	36
PID 3028 wrote to memory of 2972	3028	444561befcef7bad6bb899304fb31524.exe	36
PID 3028 wrote to memory of 376	3028	444561befcef7bad6bb899304fb31524.exe	37
PID 3028 wrote to memory of 376	3028	444561befcef7bad6bb899304fb31524.exe	37
PID 3028 wrote to memory of 376	3028	444561befcef7bad6bb899304fb31524.exe	37
PID 3028 wrote to memory of 376	3028	444561befcef7bad6bb899304fb31524.exe	37
PID 3028 wrote to memory of 2980	3028	444561befcef7bad6bb899304fb31524.exe	38
PID 3028 wrote to memory of 2980	3028	444561befcef7bad6bb899304fb31524.exe	38
PID 3028 wrote to memory of 2980	3028	444561befcef7bad6bb899304fb31524.exe	38
PID 3028 wrote to memory of 2980	3028	444561befcef7bad6bb899304fb31524.exe	38
PID 3028 wrote to memory of 2352	3028	444561befcef7bad6bb899304fb31524.exe	39
PID 3028 wrote to memory of 2352	3028	444561befcef7bad6bb899304fb31524.exe	39
PID 3028 wrote to memory of 2352	3028	444561befcef7bad6bb899304fb31524.exe	39
PID 3028 wrote to memory of 2352	3028	444561befcef7bad6bb899304fb31524.exe	39
PID 3028 wrote to memory of 2384	3028	444561befcef7bad6bb899304fb31524.exe	40
PID 3028 wrote to memory of 2384	3028	444561befcef7bad6bb899304fb31524.exe	40
PID 3028 wrote to memory of 2384	3028	444561befcef7bad6bb899304fb31524.exe	40
PID 3028 wrote to memory of 2384	3028	444561befcef7bad6bb899304fb31524.exe	40

C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe
"C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp841E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe
  "C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
  2⤵
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe
  "C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
  2⤵
  PID:376
- C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe
  "C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe
  "C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe
  "C:\Users\Admin\AppData\Local\Temp\444561befcef7bad6bb899304fb31524.exe"
  2⤵
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp841E.tmp

Filesize
1KB

MD5
4420f1845444a28b25016def81fc6ebf

SHA1
df06cca676bdc320f12dfb4197e02ebe52ff6fb3

SHA256
c1315c75084c44b3cd8edab27703eb68b01457324178e92bb32696ed1523c73c

SHA512
d4a4404c15183e623dd6cd9c65c0fdee9a02b5eb521308a3f769c6df996dbdf0630ebcd3e81a2e302c9fbb00c704f73c7625fb1b090c8bd39d3e696d588db8e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8ecdbeda8c7185ce4191703d28d68f74

SHA1
e19fde3d4bd50d1f5311b12d4aecf32ffacd56c2

SHA256
51df95f87ce95f1f3dd85a5f572d40bd8c4d47fef29cbc1613cc465cca25bd34

SHA512
40900fe6d71c52e8198c580727c1f583bf3efa2fd15b55104212ee0d1821331b59514c55295e3a793cbddb5d3fd0ddd2edf8193f9b2ab448bc71b384f295711c

Download Submit
memory/3028-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x00000000003F0000-0x0000000000984000-memory.dmp

Filesize
5.6MB

Download
memory/3028-2-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-3-0x0000000002380000-0x0000000002398000-memory.dmp

Filesize
96KB

Download
memory/3028-4-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-6-0x00000000055E0000-0x000000000575E000-memory.dmp

Filesize
1.5MB

Download
memory/3028-19-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download