Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22/03/2025, 06:33
General
-
Target
0d7cbc882298f639d31191a03ec81bd3.exe
-
Size
1.9MB
-
MD5
0d7cbc882298f639d31191a03ec81bd3
-
SHA1
93124a821e8fe02c1736cb62e9a613c8dc8379e6
-
SHA256
56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
-
SHA512
5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
-
SSDEEP
24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe"C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Cookies\csrss.exe"C:\Users\Admin\Cookies\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ae8bdc8-7a34-41eb-ad19-934548550c1e.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e5f5a1-1a5e-4fb3-bbfb-2bb44bf640cb.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91853a46-9ff0-4b85-981f-7256c4048553.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff9dee30-e421-4c57-98a6-f947a6b53cae.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cdc7909-22d7-429c-902e-9de9bd32b1c2.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b9ce981-3e98-4f4d-874e-d009ff9b1746.vbs"13⤵
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239b6189-bc4e-43f6-95c0-db6e0bf6d2d9.vbs"15⤵
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\833e46cd-9145-4382-8916-10883d1b67dc.vbs"17⤵
-
C:\Users\Admin\Cookies\csrss.exeC:\Users\Admin\Cookies\csrss.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c535e7c6-5cec-4ff6-b13c-ecad5d73ca6b.vbs"19⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d67856d4-4c72-4a04-b5d2-3d9e5ccf997e.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c6739f-8900-4427-a128-590dca14088d.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6895aeb-a347-4831-ad2e-c25ce2d25f9d.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc613bf8-bba1-4f88-837c-758902fe8ddd.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1079cdf1-2360-47ee-8849-111664bc607d.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d6fc2c3-8332-47fa-995a-c5958e5ba373.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d01ac9-f4b0-4983-9e23-992d7da4ba3a.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dedb40b-9ea9-4467-a254-35864897c3a5.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0dba2a0-c958-422b-895b-98e6bd2110d8.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Links\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
708B
MD5925d02b1bad0968389df6f1795eeeb6b
SHA1c8da38d1b42e0dde02243c3ac4ba7b93e41618ee
SHA2568491c15a4ce473be3d200e413f76340fa9f3ea9d3a72bf6e6d955a2d1dc0eb29
SHA51228a3c5cc00c4dbd003b035aa2f3a26eb8b1dd6d21e869c905833d136c1dad46554677fd1d009eb722b0d474f8039d4739d1e889509da85b7dd1f27e7034ad08f
-
Filesize
708B
MD5b0f3ddd17ae6baa03bc3dc57357c6961
SHA1395ca6f8de062c10246794ec4ff1de5f12565056
SHA2568d3df103827a3166d530c168893708e3dd5c95b7d309f8a9a7a8c64542e6cd53
SHA512f56acea6c75a77377acdb0c562137b96a0c9e32703d3bbd31eb48a8c8aa4bdb60fdacaa251e3dc0a3efc6a9f7a0dc13abc3b56b806a02ba73193bcc1a1d7e42e
-
Filesize
707B
MD528519b6d806c054a14fa9089c2032ca9
SHA1b27186e47799ed53498bb08a817976019813a9c1
SHA25647893d0dfd05d666ed2a59743518ed21a0d067d7d6f436d30901f1811f19cf17
SHA5120606f088e4a62733f68124197a98b20f8a11eeae731c311ad80b75b630640b601ae44769253c445bcf780851546241d369536e234b4e6be6d1fe374063e9a48f
-
Filesize
708B
MD5722f8a01ba45fcc3f1e14eef246b032e
SHA17aada0796a5af8af6966285828ad0bc1e03fa44a
SHA256262f8826f1d6f39c12510ab1281ebc6dd3914237e5e49c5cb67779e10edd8469
SHA512792cbfbfaef3d8036a67a3ffb3117877bd0d08c146db5695f84cbb223320ea0c8e5e68f4d9d2212f7fd268875b7aab77e8f6483546d4c7e45e96668ec5bcc06e
-
Filesize
708B
MD522be463e1428306aebb104918f8d3bdf
SHA1fe759a03a88560de4d74515d522925013fe2d255
SHA256811b685601711096c08f2e7d24fcb8abc8ed8c9429cd461dbaf25ee75caf1ee4
SHA5124abe1f2dd9888c1dd7af9f613404d1a3f1b16ea5efedf74fb9772b795764c658a945b3256a4bb215e5d87d7d7830c30409e58db1a79d8a70819af48dce50a868
-
Filesize
708B
MD5077f3422739d97b86b8964d1a096600f
SHA14e9500a92ff379b9b81595badbcbf37698c7f058
SHA256c3c7eb30cb4077ccded390fa3ae645761f019842d74cce8d00eaea40b9b0d3a4
SHA512e94869ff8de0bbec80d326fe2b2371506d7d6c7c0551f94f09c51e49023306237cde2e5ea7176b347d5f42a3ef9d4c11adf4a4d548b5cab71b9087f9770b9436
-
Filesize
1.9MB
MD50d7cbc882298f639d31191a03ec81bd3
SHA193124a821e8fe02c1736cb62e9a613c8dc8379e6
SHA25656d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
SHA5125bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
-
Filesize
484B
MD5ab2d829f2f0f843f5be1a4a93f22c04a
SHA1780eb963d6d174c47727474e2bec62530f11fd98
SHA2562e61c6934fa1539ef80f0b417a1636703b9420a038c52e805337dd89222e112d
SHA51271e7030d3b64294842ace697da7d56da601db26f71a878c15646c84141707b278fb5684f1bfaccc17742690df38c1293b974f9718897a9951f65c49b3663df8f
-
Filesize
708B
MD515382324bd7a11741f557312a065e04c
SHA1e5b861fa24e6893c256f541a47be26693356693d
SHA2565104e26113a76a383642e484b925c13f5d118fddad9c9602ecb894432dc16253
SHA512cee67454b46c86ee9824260d70b4cd9dd33015b0f0a3c1eda7db08679762ddd99462d968e26cc6cc11b4aa4fbb10be134a9a3e6ab90ace14384f890541c5ebf4
-
Filesize
708B
MD55d9b82256e02f0268e4f4de07faa3bad
SHA1b1ca8c9922b93f179d0c38ec03eeb62190833351
SHA2568ee3e59e71f8fcadb773c489821098358ae2b7f712eba460c249cd49114f2820
SHA5126f146d972537ecb2c2a37aeccaa31dcfa5dff7d4f39a0d8b362ff795a09b9f0caa963db2cc8dd2df677656c0bf3558dfa9de2cbb350ebfebbc37645bc6d31123
-
Filesize
1.9MB
MD57bd139d905933fe6839edce6ae947609
SHA1f884684d261e190a1713e160089eaff167d45e3a
SHA256c49738cb26048b2a9dbd6d9d0f692c87b9ebfccdfa2d90baae75014db0ebf64e
SHA51213cef077fafc47de19f6ca2b96f907f5d54db7dddc8198edd020159a01691c5744e47eafa0d0d50a257388c12bde97a3f269c36085374e7144f5fb2eb204b298
-
Filesize
7KB
MD505e2ad4a987352284bfcc7aedf799814
SHA1995e609ee947486ae819f121c3bd947f1557ab71
SHA256ab1d7069a108e99485714b1d191fbca282a7db286f8c9b4c677935b06d05720e
SHA512bc76db78e3f631f7ca840941136ba26bd6ae3310784f94466fe4bfa635a5e6d6fd26ef9e19bbfd585b50b407542766f935ba6ffd098bcaf3f178da75de91c07a
-
Filesize
1.9MB
MD5f344c68491397d86c44a22e4101527ec
SHA12fc125518d7b3d5f615649ac14d9ac52979a35bd
SHA2560150befbad0f8bae13df71b21ff2ad680634dfa210e7baf9c98729171ca29b80
SHA512cac1b779c96029acd4bd248493a1a68d228424e29fde3c9e647c15efe8619604f6c8fbde0fc7c8203356318ce92c6ddff5da0afea657a6dd8406de4d85844b7a
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
1.9MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
1.9MB