d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

Analysis

max time kernel
3s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab11ad915b74ff1dd9a0ab743f7bb2a.exe
Size

5.7MB
MD5

2ab11ad915b74ff1dd9a0ab743f7bb2a
SHA1

b0d2258559eb5d5bd58af52e68fe17fa4f99109c
SHA256

09b4c204845790b4a2cb57a569ee7151d94e038099e3c175807aa27e68bd919c
SHA512

a4cec88eba462ad4e20f267806379054629b736db8c670d7cccfa0ca12a97deb2152ea63b5371662701ca70ea214a029918f584ae89a0187c5ed81253b06a656
SSDEEP

98304:6b4j5YtLaDORGGPAgOUeocP/cjsuS34/4ccmvgJ9FzpI4iWBPzL6OKsgsXPhU4ln:6U5YdUGEJl+oI/BcqgD1SeLuOKsg8BEy

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2112	Bootstrapper.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe
2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe
2332	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2308	schtasks.exe
1884	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2112	2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe	30
PID 2384 wrote to memory of 2112	2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe	30
PID 2384 wrote to memory of 2112	2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe	30
PID 2384 wrote to memory of 3012	2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe	32
PID 2384 wrote to memory of 3012	2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe	32
PID 2384 wrote to memory of 3012	2384	2ab11ad915b74ff1dd9a0ab743f7bb2a.exe	32

C:\Users\Admin\AppData\Local\Temp\2ab11ad915b74ff1dd9a0ab743f7bb2a.exe
"C:\Users\Admin\AppData\Local\Temp\2ab11ad915b74ff1dd9a0ab743f7bb2a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sqqcmm1n4vf4qj95.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\sqqcmm1n4vf4qj95.exe
  "C:\Users\Admin\AppData\Local\Temp\sqqcmm1n4vf4qj95.exe"
  2⤵
  PID:2888
- - C:\Windows\system32\CMD.exe
    "CMD" netsh firewall add allowedprogram "C:\Users\Public\Pictures\smssSystem32.exe" WindowsControl ENABLE & exit
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\WAppCrashNvTew" /tr "C:\Users\Public\Pictures\smssSystem32.exe" /RL HIGHEST & exit
    3⤵
    PID:2680
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\WAppCrashNvTew" /tr "C:\Users\Public\Pictures\smssSystem32.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2308
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft\MachineCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\smssSystem32.exe" /RL HIGHEST & exit
    3⤵
    PID:992
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 30 /tn "Microsoft\MachineCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\smssSystem32.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1884
- - C:\Users\Public\Pictures\smssSystem32.exe
    "C:\Users\Public\Pictures\smssSystem32.exe"
    3⤵
    PID:484

C:\Windows\system32\taskeng.exe
taskeng.exe {6762E629-4DC4-489F-9F82-D7B646B2929E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:1672
- C:\Users\Public\Pictures\smssSystem32.exe
  C:\Users\Public\Pictures\smssSystem32.exe
  2⤵
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
362a5f143664981ac3df47317e786f6c

SHA1
a1409840716cac7981aed9bdfb411c767b7f00a3

SHA256
174805586812690d9a7a86c1f91ed42d3a4e73b883033dd3c465a8dc5f5e7b82

SHA512
9b9ab6ab0bef82e2a81dd625ec5a01d0567c7db82bcd101a6d38a60cc52c849ee7e5a4d46948345d28183f42d307a540f283eba7d45a06fcf27a0f1b1781b627

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28BD.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqqcmm1n4vf4qj95.exe

Filesize
290KB

MD5
7b5fb78ea05e503081f53a223858181c

SHA1
2d6d4187e52fa65be9fcd43717de87ebffb3d679

SHA256
9a46574df4ed1df8497bdc34334ea9cd280e77935d580e2d34125ba9906a5802

SHA512
3b6c9e5b82b4157adcaf712745c068f1e679e327aee9467f5100971244ecbc5bc9a686aaed3f5a6ac727303a2e0ed146b059d4a42a059ae801e863ed2d3bc89e

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
9.4MB

MD5
f2a6133b7f38fc49f792ae799d1b4750

SHA1
6bef46ddde325f45a0e9ff123112c96bbd47c795

SHA256
37bde6655e1272e159b9c2e3a7eee3f4e9a837c0f04240645d3991d112287f8d

SHA512
f9611bed83b4bce1841868880a42dacb6b8f7e8859be1d85b3c8d3a365a0244566cbfb12294c7b2c82b15d6c0e47095d8246a95d522c3a064a0d8511b2411254

Download Submit
memory/484-113-0x000007FEF6200000-0x000007FEF6222000-memory.dmp

Filesize
136KB

Download
memory/484-92-0x000007FEF6200000-0x000007FEF6222000-memory.dmp

Filesize
136KB

Download
memory/484-72-0x0000000001320000-0x000000000136E000-memory.dmp

Filesize
312KB

Download
memory/484-91-0x000007FEF6200000-0x000007FEF6222000-memory.dmp

Filesize
136KB

Download
memory/1672-143-0x000007FEF7220000-0x000007FEF7242000-memory.dmp

Filesize
136KB

Download
memory/1672-133-0x000007FEF7220000-0x000007FEF7242000-memory.dmp

Filesize
136KB

Download
memory/2228-136-0x000007FEF7220000-0x000007FEF7242000-memory.dmp

Filesize
136KB

Download
memory/2228-134-0x000007FEF7220000-0x000007FEF7242000-memory.dmp

Filesize
136KB

Download
memory/2228-140-0x000007FEF7220000-0x000007FEF7242000-memory.dmp

Filesize
136KB

Download
memory/2228-148-0x000007FEF7220000-0x000007FEF7242000-memory.dmp

Filesize
136KB

Download
memory/2384-2-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2384-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000000D00000-0x00000000012BA000-memory.dmp

Filesize
5.7MB

Download
memory/2384-24-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-23-0x0000000000920000-0x000000000096E000-memory.dmp

Filesize
312KB

Download
memory/3012-16-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3012-17-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads