c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2023 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

explorer.exe
Size

133KB
MD5

247976d7e405bfd0f716a3d5f2cd499b
SHA1

dbcf03a94b3cced51ebe42af6f860e8d898f2459
SHA256

c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6
SHA512

664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad
SSDEEP

3072:DjC4DKvke46oEabPu97HZO4Aue/sobH0hLNM:3C4DKvh4PbPETZ4uLoUT

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

version.exe

pid process

4944 version.exe

pid	process
4944	version.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2376 taskkill.exe

pid	process
2376	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

explorer.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1576	explorer.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

1576 explorer.exe
1576 explorer.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

explorer.exeversion.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1576 wrote to memory of 3156	1576	explorer.exe	cmstp.exe
PID 1576 wrote to memory of 3156	1576	explorer.exe	cmstp.exe
PID 4944 wrote to memory of 1408	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 1408	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 2724	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 2724	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 1532	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 1532	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 3536	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 3536	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 3768	4944	version.exe	cmd.exe
PID 4944 wrote to memory of 3768	4944	version.exe	cmd.exe
PID 1408 wrote to memory of 3512	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 3512	1408	cmd.exe	powershell.exe
PID 3768 wrote to memory of 1908	3768	cmd.exe	powershell.exe
PID 3768 wrote to memory of 1908	3768	cmd.exe	powershell.exe
PID 2724 wrote to memory of 3700	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 3700	2724	cmd.exe	powershell.exe
PID 1532 wrote to memory of 4612	1532	cmd.exe	powershell.exe
PID 1532 wrote to memory of 4612	1532	cmd.exe	powershell.exe
PID 3536 wrote to memory of 5116	3536	cmd.exe	powershell.exe
PID 3536 wrote to memory of 5116	3536	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\wxwsy1ej.inf
2⤵
PID:3156

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gisfobfm.m3u.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxwsy1ej.inf
Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
Filesize
10KB

MD5
8ca62e1f3f7edca67a5273d76fb500c0

SHA1
f2a3e8ff64bca7a4fb8d59e9b5057e2b881d80f3

SHA256
86c884bbd715562ca5f97743e2f9efa0041eef10c6856e21ee7b6c5c87c9f738

SHA512
936d2968a8e8106f734cb6f2a39c15bafa9cae177a3e52a59ef5832b541f7381da722316d77a4cbe2e07124d14986a29d1babb847c87c861d8b355fa8979e4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
Filesize
10KB

MD5
8ca62e1f3f7edca67a5273d76fb500c0

SHA1
f2a3e8ff64bca7a4fb8d59e9b5057e2b881d80f3

SHA256
86c884bbd715562ca5f97743e2f9efa0041eef10c6856e21ee7b6c5c87c9f738

SHA512
936d2968a8e8106f734cb6f2a39c15bafa9cae177a3e52a59ef5832b541f7381da722316d77a4cbe2e07124d14986a29d1babb847c87c861d8b355fa8979e4f6

Download Submit
memory/1576-232-0x000000001B740000-0x000000001B750000-memory.dmp

Filesize
64KB

Download
memory/1576-233-0x000000001B740000-0x000000001B750000-memory.dmp

Filesize
64KB

Download
memory/1576-133-0x00000000007C0000-0x00000000007E6000-memory.dmp

Filesize
152KB

Download
memory/1576-211-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/1576-138-0x000000001B740000-0x000000001B750000-memory.dmp

Filesize
64KB

Download
memory/1576-136-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-150-0x0000018EE0030000-0x0000018EE0040000-memory.dmp

Filesize
64KB

Download
memory/1908-209-0x0000018EE0030000-0x0000018EE0040000-memory.dmp

Filesize
64KB

Download
memory/1908-230-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-147-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-148-0x0000018EE0030000-0x0000018EE0040000-memory.dmp

Filesize
64KB

Download
memory/1908-213-0x0000018EE0030000-0x0000018EE0040000-memory.dmp

Filesize
64KB

Download
memory/3512-202-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-231-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-215-0x0000020B9E7E0000-0x0000020B9E7F0000-memory.dmp

Filesize
64KB

Download
memory/3700-190-0x0000020B9E7E0000-0x0000020B9E7F0000-memory.dmp

Filesize
64KB

Download
memory/3700-227-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-210-0x0000020B9E7E0000-0x0000020B9E7F0000-memory.dmp

Filesize
64KB

Download
memory/3700-191-0x0000020B9E7E0000-0x0000020B9E7F0000-memory.dmp

Filesize
64KB

Download
memory/3700-189-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-160-0x000001ACBDC00000-0x000001ACBDC22000-memory.dmp

Filesize
136KB

Download
memory/4612-192-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-207-0x000001ACBDC50000-0x000001ACBDC60000-memory.dmp

Filesize
64KB

Download
memory/4612-214-0x000001ACBDC50000-0x000001ACBDC60000-memory.dmp

Filesize
64KB

Download
memory/4612-162-0x000001ACBDC50000-0x000001ACBDC60000-memory.dmp

Filesize
64KB

Download
memory/4612-225-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-156-0x000001ACBDC50000-0x000001ACBDC60000-memory.dmp

Filesize
64KB

Download
memory/4944-144-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-146-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-143-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/5116-208-0x000001FD25060000-0x000001FD25070000-memory.dmp

Filesize
64KB

Download
memory/5116-226-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-173-0x000001FD25060000-0x000001FD25070000-memory.dmp

Filesize
64KB

Download
memory/5116-169-0x000001FD25060000-0x000001FD25070000-memory.dmp

Filesize
64KB

Download
memory/5116-212-0x000001FD25060000-0x000001FD25070000-memory.dmp

Filesize
64KB

Download
memory/5116-161-0x00007FFDBFEF0000-0x00007FFDC09B1000-memory.dmp

Filesize
10.8MB

Download