1dff12ee6b61c31e2a9f5364f4c6bdbe8639cec3343ab4ca0ee7b43ce3cf0fd5

Analysis

max time kernel
134s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 14:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

main-file-setup/main-file-setup.exe
Size

550.0MB
MD5

ca89705a231aabedd38eae9c3001db3b
SHA1

a1e6c57986789a8cbc6c4d54ba3382dafef30f0b
SHA256

4196cb4e7ce6c3de44472fc67075ac56b9f5971f8fcf706e06edeca3a94e88d9
SHA512

6791283bb8f4704446df861d1e8c5102cd27c3e483326bc5c2231bd541c8344c9ebde96e3b921dcf27b918f58a312ef8b466e3f67875580f8689a6335db83749
SSDEEP

6144:sDSyydUgNDebfYDZWbg5c53u+cEIJ5nz59/cqok+trxLRsd9FtkEWU98ek6Br80X:LVN6bggSYqYthI/NLH3Sn2vLTl0A

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	4400	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4400 set thread context of 3508	4400	powershell.exe	92

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 4400	1556	main-file-setup.exe	86
PID 1556 wrote to memory of 4400	1556	main-file-setup.exe	86
PID 1556 wrote to memory of 4400	1556	main-file-setup.exe	86
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92
PID 4400 wrote to memory of 3508	4400	powershell.exe	92

C:\Users\Admin\AppData\Local\Temp\main-file-setup\main-file-setup.exe
"C:\Users\Admin\AppData\Local\Temp\main-file-setup\main-file-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
    3⤵
    PID:3508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-133-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/1556-134-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/1556-135-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/1556-132-0x0000000000FF0000-0x0000000001074000-memory.dmp

Filesize
528KB

Download
memory/3508-152-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3508-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3508-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3508-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4400-137-0x0000000002160000-0x0000000002196000-memory.dmp

Filesize
216KB

Download
memory/4400-142-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/4400-143-0x0000000006000000-0x0000000006044000-memory.dmp

Filesize
272KB

Download
memory/4400-144-0x0000000006DD0000-0x0000000006E46000-memory.dmp

Filesize
472KB

Download
memory/4400-145-0x00000000074D0000-0x0000000007B4A000-memory.dmp

Filesize
6.5MB

Download
memory/4400-146-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/4400-141-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4400-140-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/4400-139-0x00000000049B0000-0x00000000049D2000-memory.dmp

Filesize
136KB

Download
memory/4400-138-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download