c57150dd70cf2780decee027a2dfac8e01a698f219ef3397d8706a100a1d854a

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 20:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fi30mtm7384bj.exe
Size

6.6MB
MD5

aec2444fff7f041129caeba95f5c0cd8
SHA1

541ec892c01311d4ecb5bd00e94fcb1292923c8f
SHA256

c57150dd70cf2780decee027a2dfac8e01a698f219ef3397d8706a100a1d854a
SHA512

9b0c02ac8420e5517669040a8260d27913b2197a4546b2b6910084a5318be5fad2d967a30526f22474fb30556cceaa7fed4ec7042ac3dff093f68ad11eb857a6
SSDEEP

98304:U5zTX4Pf1N2zIh3ET9Y9MxVMOPUh3PdWPEUrJY6AOxbHPS2zh/hQqfvsJ1YPwIu/:UVX4FMIZETKwjPePdrQJ/BNOqAYPL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4916	powershell.exe

Loads dropped DLL 4 IoCs

pid	Process
2756	fi30mtm7384bj.exe
2756	fi30mtm7384bj.exe
2756	fi30mtm7384bj.exe
2756	fi30mtm7384bj.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4916	powershell.exe
4916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2756	4832	fi30mtm7384bj.exe	80
PID 4832 wrote to memory of 2756	4832	fi30mtm7384bj.exe	80
PID 2756 wrote to memory of 4204	2756	fi30mtm7384bj.exe	81
PID 2756 wrote to memory of 4204	2756	fi30mtm7384bj.exe	81
PID 4204 wrote to memory of 4916	4204	cmd.exe	83
PID 4204 wrote to memory of 4916	4204	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\fi30mtm7384bj.exe
"C:\Users\Admin\AppData\Local\Temp\fi30mtm7384bj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\fi30mtm7384bj.exe
  "C:\Users\Admin\AppData\Local\Temp\fi30mtm7384bj.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start /min powershell -ExecutionPolicy Bypass -noprofile C:\Users\Admin\AppData\Local\Temp/screenshot-util-assets/install-packages.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -noprofile C:\Users\Admin\AppData\Local\Temp/screenshot-util-assets/install-packages.ps1
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_bz2.pyd

Filesize
82KB

MD5
3859239ced9a45399b967ebce5a6ba23

SHA1
6f8ff3df90ac833c1eb69208db462cda8ca3f8d6

SHA256
a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a

SHA512
030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_bz2.pyd

Filesize
82KB

MD5
3859239ced9a45399b967ebce5a6ba23

SHA1
6f8ff3df90ac833c1eb69208db462cda8ca3f8d6

SHA256
a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a

SHA512
030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_lzma.pyd

Filesize
155KB

MD5
e5abc3a72996f8fde0bcf709e6577d9d

SHA1
15770bdcd06e171f0b868c803b8cf33a8581edd3

SHA256
1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb

SHA512
b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_lzma.pyd

Filesize
155KB

MD5
e5abc3a72996f8fde0bcf709e6577d9d

SHA1
15770bdcd06e171f0b868c803b8cf33a8581edd3

SHA256
1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb

SHA512
b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1e4ilfoz.jqg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot-util-assets\install-packages.ps1

Filesize
795B

MD5
048e0e11e9bf37d7b8b6cbf98e43c188

SHA1
d2f671c0f82d9fa1562ad552c93326aa0662c4b9

SHA256
070606ec6d3a47649ab2e746cd510791d70f020fc3906683fbc45a1bd0118231

SHA512
1a841bca54be035f2695fb59b811269910b0d17f7a563f5cc08240cdf63de7bb0269d872bdadffbab22868530130b6a2bd82f59d561d445746963a4c2a37dcd9

Download Submit
memory/4916-168-0x000002A674F60000-0x000002A674F82000-memory.dmp

Filesize
136KB

Download
memory/4916-178-0x00007FFAEECF0000-0x00007FFAEF7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-179-0x000002A675340000-0x000002A675350000-memory.dmp

Filesize
64KB

Download
memory/4916-180-0x000002A675340000-0x000002A675350000-memory.dmp

Filesize
64KB

Download
memory/4916-181-0x000002A675340000-0x000002A675350000-memory.dmp

Filesize
64KB

Download
memory/4916-183-0x00007FFAEECF0000-0x00007FFAEF7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-184-0x000002A675340000-0x000002A675350000-memory.dmp

Filesize
64KB

Download
memory/4916-185-0x000002A675340000-0x000002A675350000-memory.dmp

Filesize
64KB

Download
memory/4916-186-0x000002A675340000-0x000002A675350000-memory.dmp

Filesize
64KB

Download
memory/4916-189-0x00007FFAEECF0000-0x00007FFAEF7B1000-memory.dmp

Filesize
10.8MB

Download