a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687

Analysis

max time kernel
79s
max time network
175s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-06-2023 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe
Size

972KB
MD5

e522da096f0b0ba2d52ec91a8c26423f
SHA1

b85a566cde9f067fc9318bfcbc559ba9ede5bccc
SHA256

a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687
SHA512

14f89ee0fbe482f6d0f9dcaef990a7666126ce4a85ec8ddef5080fae82ac62ece6df9db86853f615aa5d946c8f30372d77120a34ac84d7d9b66837b052ad9ff5
SSDEEP

12288:mPbgRd5dB0hkNmLhM9gcCH8u20lyoY1UKQ5CH:mPbgRv0qNmdM9XC8bqvy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4864	R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
440	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3536	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3972	powershell.exe
4012	powershell.exe
3972	powershell.exe
4012	powershell.exe
3972	powershell.exe
4012	powershell.exe
4140	powershell.exe
4392	powershell.exe
4140	powershell.exe
4392	powershell.exe
4392	powershell.exe
4140	powershell.exe
4864	R.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4012	powershell.exe
Token: SeSecurityPrivilege	4012	powershell.exe
Token: SeTakeOwnershipPrivilege	4012	powershell.exe
Token: SeLoadDriverPrivilege	4012	powershell.exe
Token: SeSystemProfilePrivilege	4012	powershell.exe
Token: SeSystemtimePrivilege	4012	powershell.exe
Token: SeProfSingleProcessPrivilege	4012	powershell.exe
Token: SeIncBasePriorityPrivilege	4012	powershell.exe
Token: SeCreatePagefilePrivilege	4012	powershell.exe
Token: SeBackupPrivilege	4012	powershell.exe
Token: SeRestorePrivilege	4012	powershell.exe
Token: SeShutdownPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeSystemEnvironmentPrivilege	4012	powershell.exe
Token: SeRemoteShutdownPrivilege	4012	powershell.exe
Token: SeUndockPrivilege	4012	powershell.exe
Token: SeManageVolumePrivilege	4012	powershell.exe
Token: 33	4012	powershell.exe
Token: 34	4012	powershell.exe
Token: 35	4012	powershell.exe
Token: 36	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	3972	powershell.exe
Token: SeSecurityPrivilege	3972	powershell.exe
Token: SeTakeOwnershipPrivilege	3972	powershell.exe
Token: SeLoadDriverPrivilege	3972	powershell.exe
Token: SeSystemProfilePrivilege	3972	powershell.exe
Token: SeSystemtimePrivilege	3972	powershell.exe
Token: SeProfSingleProcessPrivilege	3972	powershell.exe
Token: SeIncBasePriorityPrivilege	3972	powershell.exe
Token: SeCreatePagefilePrivilege	3972	powershell.exe
Token: SeBackupPrivilege	3972	powershell.exe
Token: SeRestorePrivilege	3972	powershell.exe
Token: SeShutdownPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeSystemEnvironmentPrivilege	3972	powershell.exe
Token: SeRemoteShutdownPrivilege	3972	powershell.exe
Token: SeUndockPrivilege	3972	powershell.exe
Token: SeManageVolumePrivilege	3972	powershell.exe
Token: 33	3972	powershell.exe
Token: 34	3972	powershell.exe
Token: 35	3972	powershell.exe
Token: 36	3972	powershell.exe
Token: SeDebugPrivilege	4864	R.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeIncreaseQuotaPrivilege	4140	powershell.exe
Token: SeSecurityPrivilege	4140	powershell.exe
Token: SeTakeOwnershipPrivilege	4140	powershell.exe
Token: SeLoadDriverPrivilege	4140	powershell.exe
Token: SeSystemProfilePrivilege	4140	powershell.exe
Token: SeSystemtimePrivilege	4140	powershell.exe
Token: SeProfSingleProcessPrivilege	4140	powershell.exe
Token: SeIncBasePriorityPrivilege	4140	powershell.exe
Token: SeCreatePagefilePrivilege	4140	powershell.exe
Token: SeBackupPrivilege	4140	powershell.exe
Token: SeRestorePrivilege	4140	powershell.exe
Token: SeShutdownPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeSystemEnvironmentPrivilege	4140	powershell.exe
Token: SeRemoteShutdownPrivilege	4140	powershell.exe
Token: SeUndockPrivilege	4140	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3972	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe	66
PID 4216 wrote to memory of 3972	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe	66
PID 4216 wrote to memory of 4012	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe	67
PID 4216 wrote to memory of 4012	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe	67
PID 4216 wrote to memory of 2092	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe	70
PID 4216 wrote to memory of 2092	4216	a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe	70
PID 2092 wrote to memory of 3536	2092	cmd.exe	72
PID 2092 wrote to memory of 3536	2092	cmd.exe	72
PID 2092 wrote to memory of 4864	2092	cmd.exe	74
PID 2092 wrote to memory of 4864	2092	cmd.exe	74
PID 4864 wrote to memory of 4392	4864	R.exe	75
PID 4864 wrote to memory of 4392	4864	R.exe	75
PID 4864 wrote to memory of 4140	4864	R.exe	76
PID 4864 wrote to memory of 4140	4864	R.exe	76
PID 4864 wrote to memory of 2804	4864	R.exe	79
PID 4864 wrote to memory of 2804	4864	R.exe	79
PID 2804 wrote to memory of 440	2804	cmd.exe	81
PID 2804 wrote to memory of 440	2804	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe
"C:\Users\Admin\AppData\Local\Temp\a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp65F2.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3536
- - C:\ProgramData\SonyProduction\R.exe
    "C:\ProgramData\SonyProduction\R.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "R" /tr "C:\ProgramData\SonyProduction\R.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "R" /tr "C:\ProgramData\SonyProduction\R.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SonyProduction\R.exe

Filesize
972KB

MD5
e522da096f0b0ba2d52ec91a8c26423f

SHA1
b85a566cde9f067fc9318bfcbc559ba9ede5bccc

SHA256
a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687

SHA512
14f89ee0fbe482f6d0f9dcaef990a7666126ce4a85ec8ddef5080fae82ac62ece6df9db86853f615aa5d946c8f30372d77120a34ac84d7d9b66837b052ad9ff5

Download Submit
C:\ProgramData\SonyProduction\R.exe

Filesize
972KB

MD5
e522da096f0b0ba2d52ec91a8c26423f

SHA1
b85a566cde9f067fc9318bfcbc559ba9ede5bccc

SHA256
a10aa58ee969e0ca15d7ff0f006969f00e4ae9c4c64d603ca156f8490840c687

SHA512
14f89ee0fbe482f6d0f9dcaef990a7666126ce4a85ec8ddef5080fae82ac62ece6df9db86853f615aa5d946c8f30372d77120a34ac84d7d9b66837b052ad9ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca53e37cb37a0a05b447cb7f2e643053

SHA1
4e4ceaa34ba8d1921387ba9ad0c09ae0a2ba66bd

SHA256
1418c5b7af2154464f13ad8a64259d2281842716b45fce4379baa6c753f7d5cc

SHA512
a278345d507149532048865bb7c1cf07567523aa1a9f4b71f0e11622dc912f8d179819c2022dee063206b61b2dc11551e73f7f4c195a50af8b6a3d252027ad9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca53e37cb37a0a05b447cb7f2e643053

SHA1
4e4ceaa34ba8d1921387ba9ad0c09ae0a2ba66bd

SHA256
1418c5b7af2154464f13ad8a64259d2281842716b45fce4379baa6c753f7d5cc

SHA512
a278345d507149532048865bb7c1cf07567523aa1a9f4b71f0e11622dc912f8d179819c2022dee063206b61b2dc11551e73f7f4c195a50af8b6a3d252027ad9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1819e61bbf42d18bca73f2f7eb825b0

SHA1
b5f557b8c254c48fe6ff11fafeff4ca5baa183f9

SHA256
5816c9ae8d67f0cb42d62cc89cf2519d458bfa964653f2e004049ef65d9ec379

SHA512
8add93e67aa4ef457775c699843a62fdb72b2e05a99ccaffc033db3c8e13e8a220ec4caf4a6bb8d1a999501579732f3e955369f1d5c23a41d88a22b63385221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1rz0sn3.3jx.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65F2.tmp.bat

Filesize
144B

MD5
6bd1fca21b3bbcc5a0ec8df79aa59113

SHA1
512014cbb3f58e752ec327bbe8476e3b026d29aa

SHA256
417f4543cca09ff4121e09fa4e003942859a60e2ef2ac5535640e42f5832a434

SHA512
eb87814c806487e48f11f0903e83b63716379fa9ca2a9cc7497449faa2eb46562ac44ffe72a7c659d93d50464f79f9df4309b52f8da96ccd6e81e959cdbe6406

Download Submit
memory/3972-131-0x000002BF9C390000-0x000002BF9C3B2000-memory.dmp

Filesize
136KB

Download
memory/3972-174-0x000002BFB49C0000-0x000002BFB49D0000-memory.dmp

Filesize
64KB

Download
memory/3972-180-0x000002BFB49C0000-0x000002BFB49D0000-memory.dmp

Filesize
64KB

Download
memory/3972-190-0x000002BFB49C0000-0x000002BFB49D0000-memory.dmp

Filesize
64KB

Download
memory/4012-177-0x000001C89DA20000-0x000001C89DA30000-memory.dmp

Filesize
64KB

Download
memory/4012-187-0x000001C89DA20000-0x000001C89DA30000-memory.dmp

Filesize
64KB

Download
memory/4012-184-0x000001C89DA20000-0x000001C89DA30000-memory.dmp

Filesize
64KB

Download
memory/4012-137-0x000001C89DBB0000-0x000001C89DC26000-memory.dmp

Filesize
472KB

Download
memory/4012-215-0x000001C89DA20000-0x000001C89DA30000-memory.dmp

Filesize
64KB

Download
memory/4140-236-0x00000296EB820000-0x00000296EB830000-memory.dmp

Filesize
64KB

Download
memory/4140-235-0x00000296EB820000-0x00000296EB830000-memory.dmp

Filesize
64KB

Download
memory/4140-298-0x00000296EB820000-0x00000296EB830000-memory.dmp

Filesize
64KB

Download
memory/4216-117-0x0000000000E60000-0x0000000000F58000-memory.dmp

Filesize
992KB

Download
memory/4392-296-0x000001E360650000-0x000001E360660000-memory.dmp

Filesize
64KB

Download
memory/4392-238-0x000001E360650000-0x000001E360660000-memory.dmp

Filesize
64KB

Download
memory/4392-237-0x000001E360650000-0x000001E360660000-memory.dmp

Filesize
64KB

Download
memory/4864-232-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/4864-321-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download