Analysis

  • max time kernel
    56s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2023 22:37

General

  • Target

    LuSlower-PowerCfgUtil.exe

  • Size

    244KB

  • MD5

    e634caa91e10f27736e85527c9689850

  • SHA1

    92cf5e1ba154a02cf99e98a927f328b8332bbf5c

  • SHA256

    062c1d216ceceb758c0033e4a6f6c7b0d5211b8cc560194eb6c6962c7c7635ff

  • SHA512

    983bc8902ae97ba4d744b46ae881a48b4087d9c0f1860df0fc1bb0affdd4911596ae0a1b11476dc71fc64eca17c5b9aab4fb166d921836384d594be26af3010a

  • SSDEEP

    6144:MBlkZvaF4NTBE1L/yE9zeJdUzgrwoDDHyQ:MoSWNTS1L1zeUQtD7V

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 1 IoCs
  • Delays execution with timeout.exe 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LuSlower-PowerCfgUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\LuSlower-PowerCfgUtil.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\7EDA.tmp\7EDB.bat C:\Users\Admin\AppData\Local\Temp\LuSlower-PowerCfgUtil.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\system32\Dism.exe
        dism
        3⤵
        • Drops file in Windows directory
        PID:1524
      • C:\Windows\system32\mode.com
        mode 93,17
        3⤵
          PID:2828
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\system32\powercfg.exe
            powercfg /list
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3756
          • C:\Windows\system32\findstr.exe
            findstr "*"
            4⤵
              PID:932
          • C:\Windows\system32\choice.exe
            choice /c 123456789 /n /m "eliga un numero [1-9]:"
            3⤵
              PID:2440
            • C:\Windows\system32\mode.com
              mode 30,2
              3⤵
                PID:4868
              • C:\Windows\system32\timeout.exe
                timeout -t 1 -nobreak
                3⤵
                • Delays execution with timeout.exe
                PID:4340
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c guidgen.exe hexH
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4564
                • C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe
                  guidgen.exe hexH
                  4⤵
                  • Executes dropped EXE
                  PID:4772
              • C:\Windows\system32\powercfg.exe
                powercfg /import "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\PowerCfgEsLu.pow" Try "GuidGen.exe --help" for more info.
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2428
              • C:\Windows\system32\mode.com
                mode 27,2
                3⤵
                  PID:4548
                • C:\Windows\system32\timeout.exe
                  timeout -t 1 -nobreak
                  3⤵
                  • Delays execution with timeout.exe
                  PID:4816
                • C:\Windows\system32\powercfg.exe
                  powercfg /s "Try "GuidGen.exe --help" for more info."
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:552
                • C:\Windows\system32\mode.com
                  mode 38,2
                  3⤵
                    PID:3960
                  • C:\Windows\system32\timeout.exe
                    timeout -t 1 -nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:5088
                  • C:\Windows\system32\mode.com
                    mode 93,17
                    3⤵
                      PID:5076
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4972
                      • C:\Windows\system32\findstr.exe
                        findstr "*"
                        4⤵
                          PID:5020
                        • C:\Windows\system32\powercfg.exe
                          powercfg /list
                          4⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5012
                      • C:\Windows\system32\choice.exe
                        choice /c 123456789 /n /m "eliga un numero [1-9]:"
                        3⤵
                          PID:4948
                        • C:\Windows\system32\mode.com
                          mode 30,2
                          3⤵
                            PID:4912
                          • C:\Windows\system32\timeout.exe
                            timeout -t 1 -nobreak
                            3⤵
                            • Delays execution with timeout.exe
                            PID:3972
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c guidgen.exe -f hexH
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1220
                            • C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe
                              guidgen.exe -f hexH
                              4⤵
                              • Executes dropped EXE
                              PID:916
                          • C:\Windows\system32\powercfg.exe
                            powercfg /import "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\PowerCfgMaxLu.pow" "2BCC2561-B1E8-2C9E-B3B1-C3B852B079BA"
                            3⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4440
                          • C:\Windows\system32\mode.com
                            mode 27,2
                            3⤵
                              PID:4832
                            • C:\Windows\system32\timeout.exe
                              timeout -t 1 -nobreak
                              3⤵
                              • Delays execution with timeout.exe
                              PID:1212
                            • C:\Windows\system32\powercfg.exe
                              powercfg /s "2BCC2561-B1E8-2C9E-B3B1-C3B852B079BA"
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4324
                            • C:\Windows\system32\mode.com
                              mode 38,2
                              3⤵
                                PID:4404
                              • C:\Windows\system32\timeout.exe
                                timeout -t 1 -nobreak
                                3⤵
                                • Delays execution with timeout.exe
                                PID:3068
                              • C:\Windows\system32\mode.com
                                mode 93,17
                                3⤵
                                  PID:4300
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
                                  3⤵
                                    PID:1284
                                    • C:\Windows\system32\powercfg.exe
                                      powercfg /list
                                      4⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1664
                                    • C:\Windows\system32\findstr.exe
                                      findstr "*"
                                      4⤵
                                        PID:1668
                                    • C:\Windows\system32\choice.exe
                                      choice /c 123456789 /n /m "eliga un numero [1-9]:"
                                      3⤵
                                        PID:1040
                                      • C:\Windows\system32\mode.com
                                        mode 30,2
                                        3⤵
                                          PID:1252
                                        • C:\Windows\system32\timeout.exe
                                          timeout -t 2 -nobreak
                                          3⤵
                                          • Delays execution with timeout.exe
                                          PID:1208
                                        • C:\Windows\system32\powercfg.exe
                                          powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
                                          3⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2044
                                        • C:\Windows\system32\powercfg.exe
                                          powercfg -s e9a42b02-d5df-448d-aa00-03f14749eb61
                                          3⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4264
                                        • C:\Windows\system32\mode.com
                                          mode 38,2
                                          3⤵
                                            PID:772
                                          • C:\Windows\system32\mode.com
                                            mode 15,2
                                            3⤵
                                              PID:1860
                                            • C:\Windows\system32\timeout.exe
                                              timeout -t 2 -nobreak
                                              3⤵
                                              • Delays execution with timeout.exe
                                              PID:3000
                                            • C:\Windows\system32\mode.com
                                              mode 93,17
                                              3⤵
                                                PID:3228
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
                                                3⤵
                                                  PID:1908
                                                  • C:\Windows\system32\powercfg.exe
                                                    powercfg /list
                                                    4⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1692
                                                  • C:\Windows\system32\findstr.exe
                                                    findstr "*"
                                                    4⤵
                                                      PID:3456
                                                  • C:\Windows\system32\choice.exe
                                                    choice /c 123456789 /n /m "eliga un numero [1-9]:"
                                                    3⤵
                                                      PID:4412
                                                    • C:\Windows\system32\mode.com
                                                      mode 28,2
                                                      3⤵
                                                        PID:4992
                                                      • C:\Windows\system32\timeout.exe
                                                        timeout -t 2 -nobreak
                                                        3⤵
                                                        • Delays execution with timeout.exe
                                                        PID:3184
                                                      • C:\Windows\system32\powercfg.exe
                                                        powercfg -d e9a42b02-d5df-448d-aa00-03f14749eb61
                                                        3⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4208
                                                      • C:\Windows\system32\powercfg.exe
                                                        powercfg -d 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                                                        3⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1680
                                                      • C:\Windows\system32\powercfg.exe
                                                        powercfg -d 381b4222-f694-41f0-9685-ff5bb260df2e
                                                        3⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4928
                                                      • C:\Windows\system32\mode.com
                                                        mode 15,2
                                                        3⤵
                                                          PID:3572
                                                        • C:\Windows\system32\powercfg.exe
                                                          powercfg -d a1841308-3541-4fab-bc81-f71556f20b4a
                                                          3⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1640
                                                        • C:\Windows\system32\timeout.exe
                                                          timeout -t 2 -nobreak
                                                          3⤵
                                                          • Delays execution with timeout.exe
                                                          PID:1428
                                                        • C:\Windows\system32\mode.com
                                                          mode 93,17
                                                          3⤵
                                                            PID:2000
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
                                                            3⤵
                                                              PID:3340
                                                              • C:\Windows\system32\powercfg.exe
                                                                powercfg /list
                                                                4⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4608
                                                              • C:\Windows\system32\findstr.exe
                                                                findstr "*"
                                                                4⤵
                                                                  PID:1016
                                                              • C:\Windows\system32\choice.exe
                                                                choice /c 123456789 /n /m "eliga un numero [1-9]:"
                                                                3⤵
                                                                  PID:832
                                                                • C:\Windows\system32\mode.com
                                                                  mode 31,2
                                                                  3⤵
                                                                    PID:4448
                                                                  • C:\Windows\system32\timeout.exe
                                                                    timeout -t 2 -nobreak
                                                                    3⤵
                                                                    • Delays execution with timeout.exe
                                                                    PID:2064
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c wmic path win32_usbhub get deviceid |findstr /i /l "USB\VID_"
                                                                    3⤵
                                                                      PID:3652
                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                        wmic path win32_usbhub get deviceid
                                                                        4⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3812
                                                                      • C:\Windows\system32\findstr.exe
                                                                        findstr /i /l "USB\VID_"
                                                                        4⤵
                                                                          PID:3528
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c wmic PATH Win32_USBHub GET DeviceID | findstr /i /l "USB\ROOT_"
                                                                        3⤵
                                                                          PID:1600
                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                            wmic PATH Win32_USBHub GET DeviceID
                                                                            4⤵
                                                                              PID:3188
                                                                            • C:\Windows\system32\findstr.exe
                                                                              findstr /i /l "USB\ROOT_"
                                                                              4⤵
                                                                                PID:3032
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Enum\USB\ROOT_HUB20\4&3104EFD0&0\Device Parameters\WDF" /v IdleInWorkingState /t reg_dword /d "0x0" /f
                                                                              3⤵
                                                                                PID:1508
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible"|findstr /l "USB"
                                                                                3⤵
                                                                                  PID:1580
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible"
                                                                                    4⤵
                                                                                    • Maps connected drives based on registry
                                                                                    PID:1596
                                                                                  • C:\Windows\system32\findstr.exe
                                                                                    findstr /l "USB"
                                                                                    4⤵
                                                                                      PID:1756

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v6

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\7EDA.tmp\7EDB.bat

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                924222f136a8fa82d102f7b039c9b7f9

                                                                                SHA1

                                                                                0139417744da37f5eccb0f484216ea765ffec252

                                                                                SHA256

                                                                                3156b61cdfe0ee9247c2c6c0afea0ab9b3b91e87833078f97a69aeaf5863d681

                                                                                SHA512

                                                                                097204056b7fff6533a2fbaee155dc822f603dfe32158564c2c384fc26f3c28448d447396c71c6e25934ad772d147fa4c07b8a30b7c1e862e0f7307553cd2849

                                                                              • C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe

                                                                                Filesize

                                                                                273KB

                                                                                MD5

                                                                                5d68c8c85d9c275bfeb388c7a44cc577

                                                                                SHA1

                                                                                4d3ab9193e1eb61f248b15fcc7390d259b24cde3

                                                                                SHA256

                                                                                6aa75a3865e0d14881943e2e3bb81788269d7c41e79290df88e72367835da1ad

                                                                                SHA512

                                                                                c1d839a572b3f83eb9704018190d50abd22c9c42c3af67fe4cb00f462ba64002c473ce56744a920fd94770e2b3e369b6309ffe5db06618f5ada991809352c565

                                                                              • C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe

                                                                                Filesize

                                                                                273KB

                                                                                MD5

                                                                                5d68c8c85d9c275bfeb388c7a44cc577

                                                                                SHA1

                                                                                4d3ab9193e1eb61f248b15fcc7390d259b24cde3

                                                                                SHA256

                                                                                6aa75a3865e0d14881943e2e3bb81788269d7c41e79290df88e72367835da1ad

                                                                                SHA512

                                                                                c1d839a572b3f83eb9704018190d50abd22c9c42c3af67fe4cb00f462ba64002c473ce56744a920fd94770e2b3e369b6309ffe5db06618f5ada991809352c565

                                                                              • C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe

                                                                                Filesize

                                                                                273KB

                                                                                MD5

                                                                                5d68c8c85d9c275bfeb388c7a44cc577

                                                                                SHA1

                                                                                4d3ab9193e1eb61f248b15fcc7390d259b24cde3

                                                                                SHA256

                                                                                6aa75a3865e0d14881943e2e3bb81788269d7c41e79290df88e72367835da1ad

                                                                                SHA512

                                                                                c1d839a572b3f83eb9704018190d50abd22c9c42c3af67fe4cb00f462ba64002c473ce56744a920fd94770e2b3e369b6309ffe5db06618f5ada991809352c565

                                                                              • C:\Windows\Logs\DISM\dism.log

                                                                                Filesize

                                                                                197KB

                                                                                MD5

                                                                                561b894f0a0431fe5e57367ce12e0edb

                                                                                SHA1

                                                                                85c2be8778535ddd455ed88865870b4c38069163

                                                                                SHA256

                                                                                c56f5c5dccae81cf914e594e4e08e484a233c6d7355bc4647ab3522aac82c5b0

                                                                                SHA512

                                                                                a486d9b300711561b19d1d993af5b77c06ca1504335fc1e39a443a25bd6a9976544848aa3a42ed8ca6e8e134c9b9d90cfdc538ab837db4dba032c439825699b4

                                                                              • memory/916-161-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                Filesize

                                                                                340KB

                                                                              • memory/4772-159-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                Filesize

                                                                                340KB