afc2ecfef80885ce0454d6743a34ac26b5ec8677ed28d89bff2e1d9677cc4ae3

Analysis

max time kernel
10s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
11/02/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

athem external client/athem.exe
Size

32.7MB
MD5

9b42cf4fd8da2c6655c8d64d241811dc
SHA1

1660a66e42aeff3864e623b8cd19a3e69a56b238
SHA256

e0f0eb85b36e2e04cf5d69696adefd491be800f288a316ee987e249b38fe58c0
SHA512

15fd90ee93c2c377503d29d98fb3f626b43fc7081a2af535764941390d3e45cb16167649faa26a731514d3ca5ffc6a6c5c8571622e2ca535ca788753c6f5e80e
SSDEEP

393216:yQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgq96l+ZArYsFRluc:y3on1HvSzxAMNqFZArYs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
364	athem.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
2868	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeIncreaseQuotaPrivilege	3548	powershell.exe
Token: SeSecurityPrivilege	3548	powershell.exe
Token: SeTakeOwnershipPrivilege	3548	powershell.exe
Token: SeLoadDriverPrivilege	3548	powershell.exe
Token: SeSystemProfilePrivilege	3548	powershell.exe
Token: SeSystemtimePrivilege	3548	powershell.exe
Token: SeProfSingleProcessPrivilege	3548	powershell.exe
Token: SeIncBasePriorityPrivilege	3548	powershell.exe
Token: SeCreatePagefilePrivilege	3548	powershell.exe
Token: SeBackupPrivilege	3548	powershell.exe
Token: SeRestorePrivilege	3548	powershell.exe
Token: SeShutdownPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeSystemEnvironmentPrivilege	3548	powershell.exe
Token: SeRemoteShutdownPrivilege	3548	powershell.exe
Token: SeUndockPrivilege	3548	powershell.exe
Token: SeManageVolumePrivilege	3548	powershell.exe
Token: 33	3548	powershell.exe
Token: 34	3548	powershell.exe
Token: 35	3548	powershell.exe
Token: 36	3548	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeIncreaseQuotaPrivilege	928	powershell.exe
Token: SeSecurityPrivilege	928	powershell.exe
Token: SeTakeOwnershipPrivilege	928	powershell.exe
Token: SeLoadDriverPrivilege	928	powershell.exe
Token: SeSystemProfilePrivilege	928	powershell.exe
Token: SeSystemtimePrivilege	928	powershell.exe
Token: SeProfSingleProcessPrivilege	928	powershell.exe
Token: SeIncBasePriorityPrivilege	928	powershell.exe
Token: SeCreatePagefilePrivilege	928	powershell.exe
Token: SeBackupPrivilege	928	powershell.exe
Token: SeRestorePrivilege	928	powershell.exe
Token: SeShutdownPrivilege	928	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeSystemEnvironmentPrivilege	928	powershell.exe
Token: SeRemoteShutdownPrivilege	928	powershell.exe
Token: SeUndockPrivilege	928	powershell.exe
Token: SeManageVolumePrivilege	928	powershell.exe
Token: 33	928	powershell.exe
Token: 34	928	powershell.exe
Token: 35	928	powershell.exe
Token: 36	928	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeIncreaseQuotaPrivilege	2280	powershell.exe
Token: SeSecurityPrivilege	2280	powershell.exe
Token: SeTakeOwnershipPrivilege	2280	powershell.exe
Token: SeLoadDriverPrivilege	2280	powershell.exe
Token: SeSystemProfilePrivilege	2280	powershell.exe
Token: SeSystemtimePrivilege	2280	powershell.exe
Token: SeProfSingleProcessPrivilege	2280	powershell.exe
Token: SeIncBasePriorityPrivilege	2280	powershell.exe
Token: SeCreatePagefilePrivilege	2280	powershell.exe
Token: SeBackupPrivilege	2280	powershell.exe
Token: SeRestorePrivilege	2280	powershell.exe
Token: SeShutdownPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeSystemEnvironmentPrivilege	2280	powershell.exe
Token: SeRemoteShutdownPrivilege	2280	powershell.exe
Token: SeUndockPrivilege	2280	powershell.exe
Token: SeManageVolumePrivilege	2280	powershell.exe
Token: 33	2280	powershell.exe
Token: 34	2280	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 4408	364	athem.exe	67
PID 364 wrote to memory of 4408	364	athem.exe	67
PID 4408 wrote to memory of 3080	4408	cmd.exe	69
PID 4408 wrote to memory of 3080	4408	cmd.exe	69
PID 364 wrote to memory of 3548	364	athem.exe	70
PID 364 wrote to memory of 3548	364	athem.exe	70
PID 364 wrote to memory of 928	364	athem.exe	73
PID 364 wrote to memory of 928	364	athem.exe	73
PID 364 wrote to memory of 2280	364	athem.exe	76
PID 364 wrote to memory of 2280	364	athem.exe	76
PID 364 wrote to memory of 2608	364	athem.exe	78
PID 364 wrote to memory of 2608	364	athem.exe	78
PID 364 wrote to memory of 2868	364	athem.exe	80
PID 364 wrote to memory of 2868	364	athem.exe	80
PID 364 wrote to memory of 1872	364	athem.exe	81
PID 364 wrote to memory of 1872	364	athem.exe	81
PID 364 wrote to memory of 2708	364	athem.exe	83
PID 364 wrote to memory of 2708	364	athem.exe	83

C:\Users\Admin\AppData\Local\Temp\athem external client\athem.exe
"C:\Users\Admin\AppData\Local\Temp\athem external client\athem.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b519c55a718fb543286b76ed34e1feb9

SHA1
57d0fa202e8e8b9ced4824ab1cf4f8bde86c213b

SHA256
f105342dd5f019ff34a864610c196d155e03f278a25743aa4eda3b2719abbb06

SHA512
e82faf00090f66065f7cf6bd3dd51b528b670d7eee5eafc198d76a24880e98de4fcab8891e5778ccf25245ff47a248bb8a0a4a5a75d8ab6f3a38a2e5bb7bff48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
80ef418749393790b80930b9d1b1ed38

SHA1
baae03cf53c24cb4b4e16618f69dd770e75b17f5

SHA256
a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb

SHA512
935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
30c953510c52e9c3baf07661099787de

SHA1
97f259acb65608763e8c7d8383028473c341e184

SHA256
261d84151f131fc4f366599eda0641e9598fc52811c74b7fd3ec42a73b966187

SHA512
2f6ac73fefa7cd5d095f3c93974694a96a752fbe311132bcb94bf580820190d2365e8a52da95e523b565cf827a4a9e8624db1a11ec63cd3c071deab3830209e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
25f078e7cfbd59159e2db9b328049ecf

SHA1
7f3ce25c8ec41d8d10a29bb0356e406f6b14f829

SHA256
702bf235b9becad36475e2948bb81c4859b783f01d7a33e8e4240bbc20d48e69

SHA512
e26d32ba30eb6e18f794f96c3066e44961f0e2317d1d831b45db5d0b08854fff741a237d36d1488a2dcaef44287b1175ab26242b5ff145bc5e3bf7dbc92a2ff4

Download Submit
\Users\Admin\AppData\Local\Temp\pkg\08b8f97305f9f4da658d2e04475b55fae890fdff039d92c9b8f8f38de8bfc053\notrealw\build\Release\notrealw.node

Filesize
95KB

MD5
f572a55a4940b043b8b3daf5cd33034f

SHA1
c59c4239b7086c338976bc095476507fb6f9bb5f

SHA256
08b8f97305f9f4da658d2e04475b55fae890fdff039d92c9b8f8f38de8bfc053

SHA512
9e92fa134253e0e8276fe191bb41ae130bad06ebe974d8122d4f2d3690ee583b28fa21a70daab484d0d66388a2e8e9c9e701daf45a130c4300a16581f8a48c5e

Download Submit
memory/3548-129-0x000001C548050000-0x000001C548072000-memory.dmp

Filesize
136KB

Download
memory/3548-343-0x000001C54A310000-0x000001C54A332000-memory.dmp

Filesize
136KB

Download
memory/3548-324-0x000001C54A310000-0x000001C54A33A000-memory.dmp

Filesize
168KB

Download
memory/3548-161-0x000001C54A800000-0x000001C54A876000-memory.dmp

Filesize
472KB

Download
memory/3548-150-0x000001C54A2A0000-0x000001C54A2DC000-memory.dmp

Filesize
240KB

Download