ec180ff7a9327b3b6879393e8e34b5def8599db647dc6e05ce9feaffc8666136

Resubmissions

02/01/2023, 22:29

230102-2eejcabe71 7

02/01/2023, 22:24

230102-2bpvxagd35 7

Analysis

max time kernel
83s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OctousWarriors.exe
Size

74.8MB
MD5

2020ffc9bb4eec31bb0095a7e1f26ff9
SHA1

32d8a4165e152080adf74483e1cf326d7eb4b90a
SHA256

ec180ff7a9327b3b6879393e8e34b5def8599db647dc6e05ce9feaffc8666136
SHA512

02a6b1a714c384c8eb2a7501dcbf17ac23ad7ce69d4d04e18531bcd897518afd0609b37ca8004bc60f904ae4b5506e1bcb75c1cc9aee03c1b0f307ca48e27e96
SSDEEP

786432:D0LoCOn+2hs4urYDNulLBiuRAatLAxn84ObHOgFPzLbtl6pxovHiBqKjcn8ggEC7:DMoCm/hXwqfwvW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4736	OctousWarriors.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1012	powershell.exe
1012	powershell.exe
4572	powershell.exe
4572	powershell.exe
3816	powershell.exe
3816	powershell.exe
596	powershell.exe
1716	powershell.exe
456	powershell.exe
1716	powershell.exe
596	powershell.exe
456	powershell.exe
4068	powershell.exe
4068	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeIncreaseQuotaPrivilege	1012	powershell.exe
Token: SeSecurityPrivilege	1012	powershell.exe
Token: SeTakeOwnershipPrivilege	1012	powershell.exe
Token: SeLoadDriverPrivilege	1012	powershell.exe
Token: SeSystemProfilePrivilege	1012	powershell.exe
Token: SeSystemtimePrivilege	1012	powershell.exe
Token: SeProfSingleProcessPrivilege	1012	powershell.exe
Token: SeIncBasePriorityPrivilege	1012	powershell.exe
Token: SeCreatePagefilePrivilege	1012	powershell.exe
Token: SeBackupPrivilege	1012	powershell.exe
Token: SeRestorePrivilege	1012	powershell.exe
Token: SeShutdownPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeSystemEnvironmentPrivilege	1012	powershell.exe
Token: SeRemoteShutdownPrivilege	1012	powershell.exe
Token: SeUndockPrivilege	1012	powershell.exe
Token: SeManageVolumePrivilege	1012	powershell.exe
Token: 33	1012	powershell.exe
Token: 34	1012	powershell.exe
Token: 35	1012	powershell.exe
Token: 36	1012	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe
Token: 36	4572	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeIncreaseQuotaPrivilege	3816	powershell.exe
Token: SeSecurityPrivilege	3816	powershell.exe
Token: SeTakeOwnershipPrivilege	3816	powershell.exe
Token: SeLoadDriverPrivilege	3816	powershell.exe
Token: SeSystemProfilePrivilege	3816	powershell.exe
Token: SeSystemtimePrivilege	3816	powershell.exe
Token: SeProfSingleProcessPrivilege	3816	powershell.exe
Token: SeIncBasePriorityPrivilege	3816	powershell.exe
Token: SeCreatePagefilePrivilege	3816	powershell.exe
Token: SeBackupPrivilege	3816	powershell.exe
Token: SeRestorePrivilege	3816	powershell.exe
Token: SeShutdownPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeSystemEnvironmentPrivilege	3816	powershell.exe
Token: SeRemoteShutdownPrivilege	3816	powershell.exe
Token: SeUndockPrivilege	3816	powershell.exe
Token: SeManageVolumePrivilege	3816	powershell.exe
Token: 33	3816	powershell.exe
Token: 34	3816	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3220	4736	OctousWarriors.exe	78
PID 4736 wrote to memory of 3220	4736	OctousWarriors.exe	78
PID 3220 wrote to memory of 2396	3220	cmd.exe	80
PID 3220 wrote to memory of 2396	3220	cmd.exe	80
PID 4736 wrote to memory of 1012	4736	OctousWarriors.exe	81
PID 4736 wrote to memory of 1012	4736	OctousWarriors.exe	81
PID 4736 wrote to memory of 4572	4736	OctousWarriors.exe	84
PID 4736 wrote to memory of 4572	4736	OctousWarriors.exe	84
PID 4736 wrote to memory of 3816	4736	OctousWarriors.exe	87
PID 4736 wrote to memory of 3816	4736	OctousWarriors.exe	87
PID 4736 wrote to memory of 752	4736	OctousWarriors.exe	89
PID 4736 wrote to memory of 752	4736	OctousWarriors.exe	89
PID 4736 wrote to memory of 596	4736	OctousWarriors.exe	91
PID 4736 wrote to memory of 596	4736	OctousWarriors.exe	91
PID 4736 wrote to memory of 456	4736	OctousWarriors.exe	92
PID 4736 wrote to memory of 456	4736	OctousWarriors.exe	92
PID 4736 wrote to memory of 1716	4736	OctousWarriors.exe	94
PID 4736 wrote to memory of 1716	4736	OctousWarriors.exe	94
PID 4736 wrote to memory of 428	4736	OctousWarriors.exe	100
PID 4736 wrote to memory of 428	4736	OctousWarriors.exe	100
PID 428 wrote to memory of 4416	428	cmd.exe	102
PID 428 wrote to memory of 4416	428	cmd.exe	102
PID 4736 wrote to memory of 4068	4736	OctousWarriors.exe	103
PID 4736 wrote to memory of 4068	4736	OctousWarriors.exe	103
PID 4736 wrote to memory of 4560	4736	OctousWarriors.exe	106
PID 4736 wrote to memory of 4560	4736	OctousWarriors.exe	106
PID 4560 wrote to memory of 3376	4560	cmd.exe	108
PID 4560 wrote to memory of 3376	4560	cmd.exe	108
PID 4736 wrote to memory of 4024	4736	OctousWarriors.exe	109
PID 4736 wrote to memory of 4024	4736	OctousWarriors.exe	109

C:\Users\Admin\AppData\Local\Temp\OctousWarriors.exe
"C:\Users\Admin\AppData\Local\Temp\OctousWarriors.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
    3⤵
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:4024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
951939a040c7a35b2d102d905634b820

SHA1
cfec458940c3c81effbe509bf984c803a7014ccb

SHA256
dd3f0f44dc5814eb3a488e4ce0d1973e332a7b8de2df79f1f78fba2a45d79e5a

SHA512
02afd17cb280d526201b623680148d078fb53ea89321ce5294deecb0886ad4fad484fc4f0fee56f508eac3820a98f237268197582cdf123a01c93330fbd89646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b1004207cf8384f56c2f49586646ee46

SHA1
9a78b98224e9dc1127d4454f7360c5f992e0acc9

SHA256
75d724e3a52397bfe75fee1ba43ce4a5b0b254aa60a5a8b2ca338129dbd48341

SHA512
c3e5e59bc2855df0a8f2efb3cbde294131609c250761472ce7b85b4c81e9681e835244d7e188b2cf08ec68b1cf71ed59d9365a977accf7cb6a78a0605a592016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aa9f1414f1d7a48bb3bc0fcd705f95f2

SHA1
c3d0b9d06d44481f67f7f7e9bcf04bc4bc61175c

SHA256
f9b907334b4ab7beafe10061d3ddff5cdca60fcbda384081d2d6bebef281737b

SHA512
e9f68dc41581c2d5d5991ee9d368524be72b4818733435b4043917f133ffb402ce57f1311779b2e8fc1723dc20d7681e5976e26e52fa6bf7100e20da95d34325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8d2c65b6e4add4a512cda781ef149f23

SHA1
55ba705696da5867dde6f9e065c56d9bdf5b5895

SHA256
9511a4575d2e078b2e933d73961c210b211ffc50fc3e572968ff180e871eb400

SHA512
d76fb1b9b30527ce908d30fdcacc1cf8549ba883951be4d49f169b9a9394009765bcdb3ae48da947a99890213eaaf1496c63f32ad3990eafb194f97562e850f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8d2c65b6e4add4a512cda781ef149f23

SHA1
55ba705696da5867dde6f9e065c56d9bdf5b5895

SHA256
9511a4575d2e078b2e933d73961c210b211ffc50fc3e572968ff180e871eb400

SHA512
d76fb1b9b30527ce908d30fdcacc1cf8549ba883951be4d49f169b9a9394009765bcdb3ae48da947a99890213eaaf1496c63f32ad3990eafb194f97562e850f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\149f80a81cf030278152112d83935bbffc1538cf4895e2aa0603e02afc11c958\mertushkaw\build\Release\mertushkaw.node

Filesize
95KB

MD5
4581922b663ab1a359e3a51e8f596d73

SHA1
50eacfb4a8c669f9ce67bc67b3a338e2c057eaa9

SHA256
149f80a81cf030278152112d83935bbffc1538cf4895e2aa0603e02afc11c958

SHA512
7b19452c175e94b0c6a831c58f56a47ac16878f9904234c17c0ce4e8d5de45273f673ab9c6fce68e2c21f85894a61f200a72228c5f7582bb5279be8075418d58

Download Submit
memory/456-162-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/456-158-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/596-157-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/596-164-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/1012-142-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/1012-136-0x00000237D5740000-0x00000237D5762000-memory.dmp

Filesize
136KB

Download
memory/1012-137-0x00000237D5C20000-0x00000237D5C64000-memory.dmp

Filesize
272KB

Download
memory/1012-138-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/1012-139-0x00000237D5CF0000-0x00000237D5D66000-memory.dmp

Filesize
472KB

Download
memory/1012-140-0x00000237D5CA0000-0x00000237D5CCA000-memory.dmp

Filesize
168KB

Download
memory/1012-141-0x00000237D5CA0000-0x00000237D5CC4000-memory.dmp

Filesize
144KB

Download
memory/1716-160-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/1716-159-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/3816-151-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/3816-149-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/4068-169-0x00007FFA06430000-0x00007FFA06EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-170-0x00007FFA06430000-0x00007FFA06EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-147-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download
memory/4572-146-0x00007FFA06780000-0x00007FFA07241000-memory.dmp

Filesize
10.8MB

Download