Resubmissions

25/04/2023, 20:18

230425-y3j7yscg23 10

Analysis

  • max time kernel
    489s
  • max time network
    494s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2023, 20:18

General

  • Target

    Executables/AtlasModules/Scripts/setSvc.cmd

  • Size

    2KB

  • MD5

    a7d3e4ffbb7206374740a5e348ca2380

  • SHA1

    6b15231dbb2444198faf876ce420ebff9961383e

  • SHA256

    be86445c1f6e88a1c4a1df2c457ced5157c3d712d176011dfaee662403f70b22

  • SHA512

    4183c4c47720232592d0e73fd57373ff7ef69279f93b65cc208db72d89b427435517acbe62ab34005d7de156b172f492cc78437f3a808318f9c3748718b81390

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -win 1 -nop -c iex $env:R; # RunAsTI
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\system32\whoami.exe
          "C:\Windows\system32\whoami.exe" /groups
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3368
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Windows\system32\find.exe
            find /i "S-1-5-18"
            4⤵
              PID:2608
            • C:\Windows\system32\whoami.exe
              whoami /user
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\system32\whoami.exe
          whoami /user
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\system32\find.exe
          find /i "S-1-5-18"
          2⤵
            PID:2432
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ( FOR %I in ("C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd" "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd" "") do @ echo(%~I )"
            2⤵
              PID:1500
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PowerShell -NoProfile -Command "$argv = $input | ?{$_}; iex (${C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd} | out-string)"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1452
              • C:\Windows\system32\whoami.exe
                "C:\Windows\system32\whoami.exe" /user
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1476
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 -nop -c $cmd='C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd'; $arg=''; $id='RunAsTI'; $key='Registry::HKU\S-1-5-21-144354903-2550862337-1367551827-1000\Volatile Environment'; $env:R=(gi $key -ea 0).getvalue($id)-join''; iex $env:R
                3⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1224
                • C:\Windows\system32\whoami.exe
                  "C:\Windows\system32\whoami.exe" /groups
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4172
                • C:\Windows\system32\sc.exe
                  "C:\Windows\system32\sc.exe" start TrustedInstaller
                  4⤵
                  • Launches sc.exe
                  PID:4924
                • C:\Windows\system32\sc.exe
                  "C:\Windows\system32\sc.exe" start lsass
                  4⤵
                  • Launches sc.exe
                  PID:404

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            556084f2c6d459c116a69d6fedcc4105

            SHA1

            633e89b9a1e77942d822d14de6708430a3944dbc

            SHA256

            88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

            SHA512

            0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            eb4d127b8a6f84a1cee423c5e3e3a51d

            SHA1

            c55263a8ff097067f2393ce2120801a445fd1949

            SHA256

            d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514

            SHA512

            45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            9c3a1483b2d9a9e31f71d9919057469c

            SHA1

            80dadf7a991d50c4781317aa8af75d0d9824cee6

            SHA256

            f3c85953c8b8b2baea05749bf784646266fa7f60b886247632fa304e21166ee2

            SHA512

            c28907190c17aa0ad8cd3202a464ef4018f4ba44aceb3dc0a2b3ec0ece3e13d19ca3aab67ec295226d80891fcca6af465a94c8c0fc68f36da7cae11bfa74fd87

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oistqcef.ubq.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/1224-161-0x0000020520CE0000-0x0000020520CF0000-memory.dmp

            Filesize

            64KB

          • memory/1224-162-0x0000020520CE0000-0x0000020520CF0000-memory.dmp

            Filesize

            64KB

          • memory/1452-144-0x000002274C110000-0x000002274C120000-memory.dmp

            Filesize

            64KB

          • memory/1452-145-0x000002274C110000-0x000002274C120000-memory.dmp

            Filesize

            64KB

          • memory/1452-143-0x000002274C110000-0x000002274C120000-memory.dmp

            Filesize

            64KB

          • memory/1452-133-0x000002274E200000-0x000002274E222000-memory.dmp

            Filesize

            136KB

          • memory/1872-175-0x00000113A6080000-0x00000113A6090000-memory.dmp

            Filesize

            64KB

          • memory/1872-176-0x00000113A6080000-0x00000113A6090000-memory.dmp

            Filesize

            64KB

          • memory/1872-174-0x00000113A6080000-0x00000113A6090000-memory.dmp

            Filesize

            64KB