Resubmissions

25/04/2023, 20:18

230425-y3j7yscg23 10

Analysis

  • max time kernel
    485s
  • max time network
    490s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2023, 20:18

General

  • Target

    Executables/CONVERTUSERS.cmd

  • Size

    1KB

  • MD5

    c3d6c5fcf9e5b2d38ffb8f9e4edda61e

  • SHA1

    275ce13f5ec6137acd09567fca3829b4a553d75f

  • SHA256

    dfe4cf6f461658171f5923b7740112aff1130c48189bbbeec1f5d53feb879815

  • SHA512

    9092053297a5b6527f9849381a91a4aec5ed460e9dc8e3fe96412bdc990fa1fe40cb2c3617b4a600482c6e2cc6c1b1da28285c041b90c469d8f597f2c90ed993

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\CONVERTUSERS.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c PowerShell -NoP -C "(Get-LocalUser | Where {$_.PrincipalSource -eq 'MicrosoftAccount'}).Name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -NoP -C "(Get-LocalUser | Where {$_.PrincipalSource -eq 'MicrosoftAccount'}).Name"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4948
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Name2Sid" | findstr /i /c:"Name2Sid"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\system32\reg.exe
        reg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Name2Sid"
        3⤵
          PID:2908
        • C:\Windows\system32\findstr.exe
          findstr /i /c:"Name2Sid"
          3⤵
            PID:3128
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Sid2Name" | findstr /i /c:"Sid2Name"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\system32\reg.exe
            reg query "HKLM\SOFTWARE\Microsoft\IdentityStore\LogonCache\Sid2Name"
            3⤵
              PID:352
            • C:\Windows\system32\findstr.exe
              findstr /i /c:"Sid2Name"
              3⤵
                PID:4008

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zld0dqef.0a0.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/4948-133-0x0000020C09440000-0x0000020C09462000-memory.dmp

            Filesize

            136KB

          • memory/4948-134-0x0000020C21770000-0x0000020C21780000-memory.dmp

            Filesize

            64KB

          • memory/4948-144-0x0000020C21770000-0x0000020C21780000-memory.dmp

            Filesize

            64KB

          • memory/4948-145-0x0000020C21700000-0x0000020C2171C000-memory.dmp

            Filesize

            112KB