e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-de
resource tags

arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows
submitted
11-01-2023 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.cmd
Size

2.1MB
MD5

50f081e9114aaf8f00837164bf375c49
SHA1

816e16cd4950e51c5a68433f8667c584a156aff6
SHA256

e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37
SHA512

723d197982c3f5bcd590c4bfae522876507749ab86a28b969e99bad87b6832de331250846173c74af55adc80b8fad525360269a890bb41be78238f49f1690cc6
SSDEEP

24576:uXduGNOl81+BhedW8Vp46RexIRV7a3mRgM1XzgG8Tnzh+AMgc2vQf/Md6itPQMsF:2lNmedW8p46zqfTpRYM6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
928	AutoIt3.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3664	timeout.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1768	WMIC.exe
Token: SeSecurityPrivilege	1768	WMIC.exe
Token: SeTakeOwnershipPrivilege	1768	WMIC.exe
Token: SeLoadDriverPrivilege	1768	WMIC.exe
Token: SeSystemProfilePrivilege	1768	WMIC.exe
Token: SeSystemtimePrivilege	1768	WMIC.exe
Token: SeProfSingleProcessPrivilege	1768	WMIC.exe
Token: SeIncBasePriorityPrivilege	1768	WMIC.exe
Token: SeCreatePagefilePrivilege	1768	WMIC.exe
Token: SeBackupPrivilege	1768	WMIC.exe
Token: SeRestorePrivilege	1768	WMIC.exe
Token: SeShutdownPrivilege	1768	WMIC.exe
Token: SeDebugPrivilege	1768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1768	WMIC.exe
Token: SeRemoteShutdownPrivilege	1768	WMIC.exe
Token: SeUndockPrivilege	1768	WMIC.exe
Token: SeManageVolumePrivilege	1768	WMIC.exe
Token: 33	1768	WMIC.exe
Token: 34	1768	WMIC.exe
Token: 35	1768	WMIC.exe
Token: 36	1768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1768	WMIC.exe
Token: SeSecurityPrivilege	1768	WMIC.exe
Token: SeTakeOwnershipPrivilege	1768	WMIC.exe
Token: SeLoadDriverPrivilege	1768	WMIC.exe
Token: SeSystemProfilePrivilege	1768	WMIC.exe
Token: SeSystemtimePrivilege	1768	WMIC.exe
Token: SeProfSingleProcessPrivilege	1768	WMIC.exe
Token: SeIncBasePriorityPrivilege	1768	WMIC.exe
Token: SeCreatePagefilePrivilege	1768	WMIC.exe
Token: SeBackupPrivilege	1768	WMIC.exe
Token: SeRestorePrivilege	1768	WMIC.exe
Token: SeShutdownPrivilege	1768	WMIC.exe
Token: SeDebugPrivilege	1768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1768	WMIC.exe
Token: SeRemoteShutdownPrivilege	1768	WMIC.exe
Token: SeUndockPrivilege	1768	WMIC.exe
Token: SeManageVolumePrivilege	1768	WMIC.exe
Token: 33	1768	WMIC.exe
Token: 34	1768	WMIC.exe
Token: 35	1768	WMIC.exe
Token: 36	1768	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe
928	AutoIt3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4756	4876	cmd.exe	82
PID 4876 wrote to memory of 4756	4876	cmd.exe	82
PID 4756 wrote to memory of 1348	4756	cmd.exe	84
PID 4756 wrote to memory of 1348	4756	cmd.exe	84
PID 4756 wrote to memory of 524	4756	cmd.exe	85
PID 4756 wrote to memory of 524	4756	cmd.exe	85
PID 4756 wrote to memory of 1536	4756	cmd.exe	86
PID 4756 wrote to memory of 1536	4756	cmd.exe	86
PID 4756 wrote to memory of 1768	4756	cmd.exe	87
PID 4756 wrote to memory of 1768	4756	cmd.exe	87
PID 4756 wrote to memory of 3664	4756	cmd.exe	89
PID 4756 wrote to memory of 3664	4756	cmd.exe	89
PID 4756 wrote to memory of 3464	4756	cmd.exe	90
PID 4756 wrote to memory of 3464	4756	cmd.exe	90
PID 4756 wrote to memory of 5108	4756	cmd.exe	91
PID 4756 wrote to memory of 5108	4756	cmd.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\system32\more.com
    more +5 C:\Users\Admin\AppData\Local\Temp\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.cmd
    3⤵
    PID:1348
- - C:\Windows\system32\certutil.exe
    certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220919\AutoIt3.exe"
    3⤵
    PID:524
- - C:\Windows\system32\certutil.exe
    certutil -decode -f C:\Users\Admin\AppData\Local\Temp\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.cmd "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\LZCI\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.a3x"
    3⤵
    PID:1536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process call create '"C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220919\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\LZCI\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:3664
- - C:\Windows\system32\xcopy.exe
    xcopy C:\Users\Admin\AppData\Roaming\Au3toCmd\*.* C:\Users\Admin\AppData\Roaming\Au3toCmdTmp\ /S
    3⤵
    PID:3464
- - C:\Windows\system32\xcopy.exe
    xcopy C:\Users\Admin\AppData\Roaming\Au3toCmdTmp\*.* C:\Users\Admin\AppData\Roaming\Au3toCmd\ /S /Y
    3⤵
    PID:5108

C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220919\AutoIt3.exe
"C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220919\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\LZCI\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.a3x" ""
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~

Filesize
2.2MB

MD5
60566f6b85ef070ee2c415fc11c1dfd5

SHA1
de4677f8b2f4e44763ea7cdcd6cb202fb336de7a

SHA256
65f9087e632e51369673dcdd27497bec4cc75fba6692ada39bf7729311c7c843

SHA512
37cbd95bd7e3fa242031bca5979566638f157163b7a68001406180830db999755fec090b65c46040407767a09f2af41c8188db33b69b0186e7e9b527d8ed514f

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmdTmp\exe\v3.3.16.1_20220919\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\LZCI\e72231cd63dff45181cd09a0c15da6028a872ce93650e506e5a0678446d6da37.a3x

Filesize
687KB

MD5
221e1a22133b319a0b85e04811424e36

SHA1
5453bd80a372480a77a87332da73c9690d67c604

SHA256
1cb114054077fa08f437e76a58ca5262d4f3860d73fc42880403d62a711c9467

SHA512
9f9d1e7ff4d7de3a984a976a28aafdfcf8b721ecd988511b581c4b6d478d8268d4439fd803072bfec3fa60a98c7a39b84a1b0a9cb16038d5c705bec8cd9116be

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220919\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220919\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/524-134-0x0000000000000000-mapping.dmp

Download
memory/928-141-0x0000000001337000-0x0000000001340000-memory.dmp

Filesize
36KB

Download
memory/1348-133-0x0000000000000000-mapping.dmp

Download
memory/1536-136-0x0000000000000000-mapping.dmp

Download
memory/1768-137-0x0000000000000000-mapping.dmp

Download
memory/3464-143-0x0000000000000000-mapping.dmp

Download
memory/3664-139-0x0000000000000000-mapping.dmp

Download
memory/4756-132-0x0000000000000000-mapping.dmp

Download
memory/5108-144-0x0000000000000000-mapping.dmp

Download