d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25/04/2023, 20:18

230425-y3j7yscg23 10

Analysis

max time kernel
509s
max time network
513s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executables/AtlasModules/Scripts/Auto-Cleaner.cmd
Size

1KB
MD5

385004fc5f168224a63a6ffc89c0b8a2
SHA1

4d2f8af8bdd7c6212c129b4a73b463b4b2f7acb3
SHA256

e49d0ad09a63268f89ca78ff02a7453ad98e5e58a4a5bb8db6d64e3a3440a5f6
SHA512

d30e4449a3ff551a288300026a4a08912e30796a284c03155ff5f16f0756103de16d8eb8c101250963c7570f54cbc6e9bf3229d101a17da40b5d5d5df14d353e

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2756 created 672	2756	powershell.exe	7

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3948	sc.exe
2564	sc.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\.Default"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\S-1-5-21-1529757233-3489015626-3409890339-1000"	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4360	powershell.exe
4360	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
4300	powershell.exe
4300	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	whoami.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	3604	whoami.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4276	whoami.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeDebugPrivilege	1520	whoami.exe
Token: SeSecurityPrivilege	4300	powershell.exe
Token: SeTakeOwnershipPrivilege	4300	powershell.exe
Token: SeBackupPrivilege	4300	powershell.exe
Token: SeRestorePrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3516	whoami.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 372	1452	cmd.exe	84
PID 1452 wrote to memory of 372	1452	cmd.exe	84
PID 1452 wrote to memory of 1276	1452	cmd.exe	85
PID 1452 wrote to memory of 1276	1452	cmd.exe	85
PID 1452 wrote to memory of 4056	1452	cmd.exe	86
PID 1452 wrote to memory of 4056	1452	cmd.exe	86
PID 1452 wrote to memory of 4360	1452	cmd.exe	87
PID 1452 wrote to memory of 4360	1452	cmd.exe	87
PID 4360 wrote to memory of 3604	4360	powershell.exe	88
PID 4360 wrote to memory of 3604	4360	powershell.exe	88
PID 4360 wrote to memory of 2756	4360	powershell.exe	89
PID 4360 wrote to memory of 2756	4360	powershell.exe	89
PID 2756 wrote to memory of 4276	2756	powershell.exe	91
PID 2756 wrote to memory of 4276	2756	powershell.exe	91
PID 2756 wrote to memory of 3948	2756	powershell.exe	92
PID 2756 wrote to memory of 3948	2756	powershell.exe	92
PID 2756 wrote to memory of 2564	2756	powershell.exe	93
PID 2756 wrote to memory of 2564	2756	powershell.exe	93
PID 2756 wrote to memory of 4300	2756	powershell.exe	94
PID 2756 wrote to memory of 4300	2756	powershell.exe	94
PID 4300 wrote to memory of 1520	4300	powershell.exe	96
PID 4300 wrote to memory of 1520	4300	powershell.exe	96
PID 4300 wrote to memory of 4664	4300	powershell.exe	98
PID 4300 wrote to memory of 4664	4300	powershell.exe	98
PID 4664 wrote to memory of 3516	4664	cmd.exe	100
PID 4664 wrote to memory of 3516	4664	cmd.exe	100
PID 4664 wrote to memory of 3956	4664	cmd.exe	99
PID 4664 wrote to memory of 3956	4664	cmd.exe	99

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -win 1 -nop -c iex $env:R; # RunAsTI
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\Auto-Cleaner.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\system32\find.exe
      find /i "S-1-5-18"
      4⤵
      PID:3956
  - - C:\Windows\system32\whoami.exe
      whoami /user
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\Auto-Cleaner.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\whoami.exe
  whoami /user
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\system32\find.exe
  find /i "S-1-5-18"
  2⤵
  PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( FOR %I in ("C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd" "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\Auto-Cleaner.cmd" "") do @ echo(%~I )"
  2⤵
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoProfile -Command "$argv = $input | ?{$_}; iex (${C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd} | out-string)"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 -nop -c $cmd='C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\Auto-Cleaner.cmd'; $arg=''; $id='RunAsTI'; $key='Registry::HKU\S-1-5-21-1529757233-3489015626-3409890339-1000\Volatile Environment'; $env:R=(gi $key -ea 0).getvalue($id)-join''; iex $env:R
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\whoami.exe
      "C:\Windows\system32\whoami.exe" /groups
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4276
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:3948
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start lsass
      4⤵
      Launches sc.exe
      PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9b53645ac136a73f0af2f791f716efd

SHA1
9917c3c61b029440dacd1b93a80700ce4afdfae8

SHA256
e9945e3f08483ef253189f405ad6ed0360649884e7ff534bbb233ba93fdd71d6

SHA512
a10d2e89faf9f76242edf38c88af522c7739402e158b7202566442bcbe78c84e7ff1c375a90c75bc396046e90a8a57dc24817a1a5ae524da148c1eef034962b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5bc80686e64f8f734bccb28006482dd4

SHA1
019fe11e3297db51c11b683ff182a384acee44d4

SHA256
1da07144b4a4e1d623be86f696b804513e556565ce3782cff6a1006a16d0b5b3

SHA512
373164463d3ebbc18113084c9a9bf05f9013dc713ebf404994264a1ad7351f2a8505ba59b137be85bc1ef1706d3398c9110ada3e81451b228defb3d59e664dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujzmfznw.syu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2756-160-0x000002E952130000-0x000002E952140000-memory.dmp

Filesize
64KB

Download
memory/2756-161-0x000002E952130000-0x000002E952140000-memory.dmp

Filesize
64KB

Download
memory/2756-162-0x000002E952130000-0x000002E952140000-memory.dmp

Filesize
64KB

Download
memory/4300-174-0x0000022F70E80000-0x0000022F70E90000-memory.dmp

Filesize
64KB

Download
memory/4300-175-0x0000022F70E80000-0x0000022F70E90000-memory.dmp

Filesize
64KB

Download
memory/4300-176-0x0000022F70E80000-0x0000022F70E90000-memory.dmp

Filesize
64KB

Download
memory/4360-133-0x000001A5E6F20000-0x000001A5E6F30000-memory.dmp

Filesize
64KB

Download
memory/4360-140-0x000001A5E6E80000-0x000001A5E6EA2000-memory.dmp

Filesize
136KB

Download
memory/4360-134-0x000001A5E6F20000-0x000001A5E6F30000-memory.dmp

Filesize
64KB

Download