965a58fe4566f227649c691d1c3d7c4e3f3f53af2b377d09a5837018a230c811

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 10:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Doklad o zaplatení.exe
Size

46KB
MD5

b22ed88cf2c78b66fb06030674ffaf0a
SHA1

c5d86779c52c029e7c84112e54ba894cc497fd64
SHA256

965a58fe4566f227649c691d1c3d7c4e3f3f53af2b377d09a5837018a230c811
SHA512

2bb0605d74b831f89a8d504adf924ccfdfbc49ce0c56d5da1db4e35b6239469e75ab19fae03cf9bee931e1e326e930e03958ad54e0ca02e229940484c054e8eb
SSDEEP

768:dlr/cjyviHDS5PmxxxxxixXFylUpK9jg+HLr6GbOsKpeQi9c/KYP3hrvA:dlr/jiHDu3F6Uk9jg+rr6GbOsKpeQiQi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	TypeId.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2152	2716	TypeId.exe	94

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4764	powershell.exe
4764	powershell.exe
2716	TypeId.exe
2716	TypeId.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	Doklad o zaplatení.exe
Token: SeDebugPrivilege	2648	Doklad o zaplatení.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2716	TypeId.exe
Token: SeDebugPrivilege	2716	TypeId.exe
Token: SeDebugPrivilege	2152	InstallUtil.exe
Token: SeDebugPrivilege	2152	InstallUtil.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94
PID 2716 wrote to memory of 2152	2716	TypeId.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Doklad o zaplatení.exe
"C:\Users\Admin\AppData\Local\Temp\Doklad o zaplatení.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Users\Admin\AppData\Local\Current\wntsytz\TypeId.exe
C:\Users\Admin\AppData\Local\Current\wntsytz\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Current\wntsytz\TypeId.exe

Filesize
46KB

MD5
b22ed88cf2c78b66fb06030674ffaf0a

SHA1
c5d86779c52c029e7c84112e54ba894cc497fd64

SHA256
965a58fe4566f227649c691d1c3d7c4e3f3f53af2b377d09a5837018a230c811

SHA512
2bb0605d74b831f89a8d504adf924ccfdfbc49ce0c56d5da1db4e35b6239469e75ab19fae03cf9bee931e1e326e930e03958ad54e0ca02e229940484c054e8eb

Download Submit
C:\Users\Admin\AppData\Local\Current\wntsytz\TypeId.exe

Filesize
46KB

MD5
b22ed88cf2c78b66fb06030674ffaf0a

SHA1
c5d86779c52c029e7c84112e54ba894cc497fd64

SHA256
965a58fe4566f227649c691d1c3d7c4e3f3f53af2b377d09a5837018a230c811

SHA512
2bb0605d74b831f89a8d504adf924ccfdfbc49ce0c56d5da1db4e35b6239469e75ab19fae03cf9bee931e1e326e930e03958ad54e0ca02e229940484c054e8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnfgfnc3.ip0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2152-4830-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-4924-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7170-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7169-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7168-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7167-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7166-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7165-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7164-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-7163-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-6631-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-4926-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2152-4925-0x000002BFF00E0000-0x000002BFF00F0000-memory.dmp

Filesize
64KB

Download
memory/2648-186-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-204-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-155-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-154-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-157-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-160-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-159-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-158-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-162-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-164-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-166-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-168-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-170-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-172-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-174-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-176-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-178-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-180-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-182-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-184-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-151-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-188-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-190-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-192-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-194-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-196-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-198-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-200-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-202-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-153-0x000001F3CE970000-0x000001F3CEA29000-memory.dmp

Filesize
740KB

Download
memory/2648-2046-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-2050-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-2047-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-2051-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-2473-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-2474-0x000001F3CD560000-0x000001F3CD570000-memory.dmp

Filesize
64KB

Download
memory/2648-133-0x000001F3B3060000-0x000001F3B3070000-memory.dmp

Filesize
64KB

Download
memory/2648-134-0x000001F3CE940000-0x000001F3CE962000-memory.dmp

Filesize
136KB

Download
memory/2648-135-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-136-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-138-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-140-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-142-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-144-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-150-0x000001F3CD510000-0x000001F3CD511000-memory.dmp

Filesize
4KB

Download
memory/2648-148-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2648-146-0x000001F3CEDA0000-0x000001F3CEE92000-memory.dmp

Filesize
968KB

Download
memory/2716-4825-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-4824-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-4823-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-4132-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-2661-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-2659-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-2657-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-2490-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-4826-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download
memory/2716-4827-0x0000022FB1640000-0x0000022FB1650000-memory.dmp

Filesize
64KB

Download