066541f7566da018dd14f24f89e1f9eddbd1c0e286d11edee989ce3f96e0ef13

Analysis

max time kernel
81s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

80.6MB
MD5

0c51baee49a5255668a82e5f280774fe
SHA1

6b85de5bfbde01bdf0a396631a7e6df07dbe79bc
SHA256

066541f7566da018dd14f24f89e1f9eddbd1c0e286d11edee989ce3f96e0ef13
SHA512

2d6b90259d31a4d92d7cbb98478fa02ca17ad8a1ea185ce0f0a1ad2b16785db4dc6620addd3ea6fe3ec95fbafa886a7f612c25a1c7e40d91b427260ea71ac357
SSDEEP

393216:rJA1cSR74aKPPs3hto+GRaMobT7Dd4DvqUwK0fTKybMY16q6m4gedXmH7o3a9Cc3:rKWNMFw7lgDkuCcwTpHQc8pY/It

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1204	sample.exe
1204	sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
216	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 312	1204	sample.exe	87
PID 1204 wrote to memory of 312	1204	sample.exe	87
PID 312 wrote to memory of 220	312	cmd.exe	89
PID 312 wrote to memory of 220	312	cmd.exe	89
PID 312 wrote to memory of 216	312	cmd.exe	88
PID 312 wrote to memory of 216	312	cmd.exe	88
PID 216 wrote to memory of 3744	216	powershell.exe	90
PID 216 wrote to memory of 3744	216	powershell.exe	90
PID 3744 wrote to memory of 3308	3744	csc.exe	93
PID 3744 wrote to memory of 3308	3744	csc.exe	93

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pavfe0x3\pavfe0x3.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBF0.tmp" "c:\Users\Admin\AppData\Local\Temp\pavfe0x3\CSC313CC57763734A61B5393F521D94BA74.TMP"
        5⤵
        
        PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.nexe_natives\sqlite3\lib\binding\napi-v3-win32-x64\node_sqlite3.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\lib\binding\napi-v3-win32-x64\node_sqlite3.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\ignore-walk\LICENSE

Filesize
765B

MD5
82703a69f6d7411dde679954c2fd9dca

SHA1
bb408e929caeb1731945b2ba54bc337edb87cc66

SHA256
4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

SHA512
3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\node-pre-gyp\package.json

Filesize
2KB

MD5
c805601907d0fc526136632c0aba18d3

SHA1
72fbba26600697c82dc191709dd7d4b8721038ee

SHA256
b0d2a69729723be09eab6197cb5b566802b96d41f1badf4d526be1d7141fccb0

SHA512
739d2dad3dfbc4a08ae2063447d03c0d9a54d7b69039faa35cd39a4c1e11745fb0eee9c5e6f88a0718bcf11652a912b1512bef26d4e3f354844f7dc1ca123ecc

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\object-assign\license

Filesize
1KB

MD5
a12ebca0510a773644101a99a867d210

SHA1
0c94f137f6e0536db8cb2622a9dc84253b91b90c

SHA256
6fb9754611c20f6649f68805e8c990e83261f29316e29de9e6cedae607b8634c

SHA512
ae79e7a4209a451aef6b78f7b0b88170e7a22335126ac345522bf4eafe0818da5865aae1507c5dc0224ef854548c721df9a84371822f36d50cbcd97fa946eee9

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\tunnel-agent\LICENSE

Filesize
8KB

MD5
f3f8ead5440d1c311b45be065d135d90

SHA1
05979f0750cf5c2a17bd3aa12450849c151d8b7c

SHA256
d446a8c73d7bbe4872d6524b15ae206f9a2d7eb53f8c9cb6e6c893a43acc5276

SHA512
d52ead0329e9223dce3d54f83c9e8caab7974355c248e2e85a1a8aa3198af402507761c22bad31307ae3bda06528ed0b3487e9ac9f6a6c3c413e09a5acac915d

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\package.json

Filesize
3KB

MD5
6fc2ac3e58ea88eba8ef8c78257804e6

SHA1
92ce5c01712271f80aa85e2ba78c2e06791b4b1f

SHA256
1ee12a8175e8a1c842a9790de45777c7a253588a7f02e5f8c314ec0d75b90567

SHA512
85dbb253372ce1f61ea4bc8d1eed8b489808f6f2f39a1d4713e7618268bc1b328f7667bbbadf91502e41b54ee5f16bf85f377737b34d08e8971077d0059771c8

Download Submit
C:\Users\Admin\.nexe_natives\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
c4e39871ce57a61c8ef9a92791c48ce8

SHA1
357f32e2cfa24591688a2782cd8ce145bb8e366e

SHA256
4f5a305446d373708a5169f69943b0be62110e4941cd64c1c8edd88eed89dff9

SHA512
b8f28f15b832afec97006294024c3f0d7b3a040334525a1fcd10ca51288adf98e9d583ed1e3afd7b897088ae1c839b36989e097d4c387b04070e10b158fa49d4

Download Submit
C:\Users\Admin\.nexe_natives\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
c4e39871ce57a61c8ef9a92791c48ce8

SHA1
357f32e2cfa24591688a2782cd8ce145bb8e366e

SHA256
4f5a305446d373708a5169f69943b0be62110e4941cd64c1c8edd88eed89dff9

SHA512
b8f28f15b832afec97006294024c3f0d7b3a040334525a1fcd10ca51288adf98e9d583ed1e3afd7b897088ae1c839b36989e097d4c387b04070e10b158fa49d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBF0.tmp

Filesize
1KB

MD5
7a0c8fa3f05876abd07fcfd5350bd88a

SHA1
284b1f286ba215ccdee25c16790e46dd129b562e

SHA256
b1d0543a66084e25536560fec5f5aaed0104b9b6a1998e895793d44a80cec654

SHA512
e20148f1a93b2e5ba8aa305e836da1ea340261f72ecf56566d414c7955a318287321d42bdcc68871d7f0eaa6fbe40f55075f3cc6f9cbe1c6b76dd8256972fe73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzwlq41g.00k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pavfe0x3\pavfe0x3.dll

Filesize
3KB

MD5
c16f581689cc99a91cad88f6c3195290

SHA1
88fdb38ae717a59941aa19978228eae52b6bd0d4

SHA256
9824a48e9663d0191c51cde820178c65e02cbd6c920d0648e5058386add943c7

SHA512
2d1a4192285b69b142c765502ebef4dfc3e11ebd5607c7c7b0a3286a383abe2feccea05c445b27b2e21ac6c4e003215cab6f8f877cf468661b7b907c0d3136d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pavfe0x3\CSC313CC57763734A61B5393F521D94BA74.TMP

Filesize
652B

MD5
f769d2c12d63f4afe7f013bb082f1282

SHA1
7e1bbc41980573ca2fecd055b2144989a3d957cc

SHA256
178236bf2a8283ec61ba84bf7703b1cde2131d675a21a7a73bf04091377967b7

SHA512
6b9743c19dc349fdce30bcc853c1aec507221456b64961cb40f6ce04536ac6317d5a4261e28fb44637a6dd56c809bbee8261020eca8aa6381af6e454fc06d698

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pavfe0x3\pavfe0x3.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pavfe0x3\pavfe0x3.cmdline

Filesize
369B

MD5
191c14a71be9418596631e44fc69b14a

SHA1
19b7873aa2bef1047d8aa4cf6d55d008f5adf131

SHA256
c5dd7ccb6f38e24af454cbb03f9d394910b52475074e7716a5aadc662ee7fd3f

SHA512
a3ba7189a30c5eb4f4f27554c39bfc705f4b7273460e9633881806f973ad7402a527ee0f74bcd87ef7901e6c266fe9f2fa077eef484ef41892f86b6ba99f817e

Download Submit
memory/216-150-0x0000022A27540000-0x0000022A27550000-memory.dmp

Filesize
64KB

Download
memory/216-149-0x0000022A27540000-0x0000022A27550000-memory.dmp

Filesize
64KB

Download
memory/216-148-0x0000022A27540000-0x0000022A27550000-memory.dmp

Filesize
64KB

Download
memory/216-147-0x0000022A27E00000-0x0000022A27E76000-memory.dmp

Filesize
472KB

Download
memory/216-146-0x0000022A27D30000-0x0000022A27D74000-memory.dmp

Filesize
272KB

Download
memory/216-143-0x0000022A27830000-0x0000022A27852000-memory.dmp

Filesize
136KB

Download