c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
Size

507KB
MD5

01403de5e5b173a6459964ebc76ea44c
SHA1

e0e0badffcd445fb5a9940d5d9894f9faf2d3c15
SHA256

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131
SHA512

497a95bc5175c83c2346b9359af4ffae020fdfc5adab9d1aa3df11e59bc53f8f6e830e3fe4a9a62d912242923dc9ace81390ecec0425b7d64538b5e07507b950
SSDEEP

12288:7CMEpyVZfUcyo/Bn8mjgjEGDa/jIsd2C6i1zkR:Ffp/B8NEGDIjJ6i1m

Score

9^/10

execution

Malware Config

Signatures

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1768-6-0x0000000001FF0000-0x0000000001FFC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2872 powershell.exe
1252 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2636 schtasks.exe

resource	yara_rule
behavioral1/memory/1768-6-0x0000000001FF0000-0x0000000001FFC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

pid	process
2872	powershell.exe
1252	powershell.exe

pid	process
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exepowershell.exepowershell.exe

pid	process
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
1252	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1768 c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
Token: SeDebugPrivilege 1252 powershell.exe
Token: SeDebugPrivilege 2872 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe

C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
"C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DRIaUJaxClxFyS.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DRIaUJaxClxFyS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5689.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
"C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
2⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
"C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
2⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
"C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
2⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
"C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
2⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
"C:\Users\Admin\AppData\Local\Temp\c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe"
2⤵
PID:2292

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5689.tmp
Filesize
1KB

MD5
084d0377a2f6ddaec1a47564330b4d41

SHA1
5b693fdda263ca7b1b901e4ebc7e3306fe13bc5b

SHA256
de8abb24dc091c129ec942b4be27d9408ea041f6718ec87712af114965f853d2

SHA512
fa223f7aba1152e8e88efe44a7f1ee0f84132ab857b03022977b5c631dd0e8eb806b3991bb29151c2054cfe32970117d1197a0778cfb1e33f50fe14f478bcbb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
93dcd74d1eeae27a2df2c8034456b4ab

SHA1
a1002fbe6930451d2f6a07557c94b9ad4c571ef9

SHA256
3668ce89987015b920b2f29e25da1a5b16267b6579f7daf33aa445bff658f3ba

SHA512
050dd3057507a663eebdacd033360197103791cd89d5a89673becef6c2751ad59210d2a7f4b8bea70db73bc1ae2423f76b9d8e58b5425f1be503b84b19e85e41

Download Submit
memory/1768-0-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/1768-1-0x00000000003D0000-0x0000000000450000-memory.dmp

Filesize
512KB

Download
memory/1768-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-3-0x0000000004BD0000-0x0000000004C46000-memory.dmp

Filesize
472KB

Download
memory/1768-4-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1768-5-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/1768-6-0x0000000001FF0000-0x0000000001FFC000-memory.dmp

Filesize
48KB

Download
memory/1768-7-0x00000000053E0000-0x0000000005440000-memory.dmp

Filesize
384KB

Download
memory/1768-20-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1768 wrote to memory of 2872	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 2872	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 2872	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 2872	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 1252	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 1252	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 1252	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 1252	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	powershell.exe
PID 1768 wrote to memory of 2636	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	schtasks.exe
PID 1768 wrote to memory of 2636	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	schtasks.exe
PID 1768 wrote to memory of 2636	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	schtasks.exe
PID 1768 wrote to memory of 2636	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	schtasks.exe
PID 1768 wrote to memory of 2552	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2552	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2552	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2552	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2168	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2168	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2168	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2168	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2948	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2948	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2948	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2948	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2952	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2952	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2952	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2952	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2292	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2292	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2292	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe
PID 1768 wrote to memory of 2292	1768	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe	c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131.exe