e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

Resubmissions

09-11-2022 04:21

221109-eyxgyafdcn 1

09-11-2022 04:08

221109-ep773sfcem 1

09-11-2022 03:58

221109-ejt39sdeg9 10

Analysis

max time kernel
258s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2022 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe
Size

1.8MB
MD5

c233f8e5f9b0441782280bb49b98f415
SHA1

ddd3476e9d61fc2d707354da50b490dea8f37721
SHA256

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4
SHA512

f5404661a5349fb33e18eb632b12a6df3b7e735346bec08ee6a848375c9d6d71bd846c472bf19eccb34aa407bf16a0e214ca4ebe58f1460d4b10cf4c6fdc153c
SSDEEP

49152:j0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4ongXG/jpC3Ohz1:/349m

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

620 powershell.exe
620 powershell.exe
5032 powershell.exe
5032 powershell.exe
3784 powershell.exe
3784 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 620 powershell.exe
Token: SeDebugPrivilege 5032 powershell.exe
Token: SeDebugPrivilege 3784 powershell.exe

pid	process
620	powershell.exe
620	powershell.exe
5032	powershell.exe
5032	powershell.exe
3784	powershell.exe
3784	powershell.exe

description	pid	process
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exepowershell.execmd.exepowershell.exe

description	pid	process	target process
PID 3688 wrote to memory of 620	3688	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 3688 wrote to memory of 620	3688	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 620 wrote to memory of 5068	620	powershell.exe	cmd.exe
PID 620 wrote to memory of 5068	620	powershell.exe	cmd.exe
PID 5068 wrote to memory of 5032	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 5032	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 4536	5068	cmd.exe	fsutil.exe
PID 5068 wrote to memory of 4536	5068	cmd.exe	fsutil.exe
PID 3688 wrote to memory of 3784	3688	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 3688 wrote to memory of 3784	3688	e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe	powershell.exe
PID 3784 wrote to memory of 3548	3784	powershell.exe	cmd.exe
PID 3784 wrote to memory of 3548	3784	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe
"C:\Users\Admin\AppData\Local\Temp\e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\system32\fsutil.exe
      fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
      4⤵
      PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \"/k start %AppData%\ihwvffsmicqynaxuenpaisstlohgxade.exe\" -WindowStyle hidden"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k start %AppData%\ihwvffsmicqynaxuenpaisstlohgxade.exe
    3⤵
    PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
memory/620-136-0x000001B68F070000-0x000001B68F092000-memory.dmp

Filesize
136KB

Download
memory/620-149-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/620-135-0x0000000000000000-mapping.dmp

Download
memory/620-139-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-147-0x0000000000000000-mapping.dmp

Download
memory/3784-144-0x0000000000000000-mapping.dmp

Download
memory/3784-146-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-148-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-142-0x0000000000000000-mapping.dmp

Download
memory/5032-143-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-138-0x0000000000000000-mapping.dmp

Download
memory/5032-150-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-137-0x0000000000000000-mapping.dmp

Download