Overview

overview

8

Static

static

1

nwgrysgezozz.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    13s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nwgrysgezozz.exe

  • Size

    2.9MB

  • MD5

    da006e31cf288c73897b2d52a35b8b02

  • SHA1

    c697bd277da5932ba9908a4a1e4ca35ad3536a36

  • SHA256

    d6e7ccaafc7a6641ce67c75483994806c20cd2a8d5235c0e74dbad4ef10ddc53

  • SHA512

    7199ecafd4fe613e5683b81af1184a7d24b30a8e00ff5c27ff8f0c7df18737696f97164fd6055b48d3277e3633fa902059493d5ff951431af7fda4c31214c117

  • SSDEEP

    49152:9Bx880gTdAU7cHRlQENldU5cBSi6nWMCL6ZF8c:9B68z3YnQENHU5cBT0mLSOc

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nwgrysgezozz.exe
    "C:\Users\Admin\AppData\Local\Temp\nwgrysgezozz.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:748
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4840
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:4720
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "OZQXWECQ"
      2⤵
      • Launches sc.exe
      PID:1680
  • C:\ProgramData\swvrjwkgtlrp\nwgrysgezozz.exe
    C:\ProgramData\swvrjwkgtlrp\nwgrysgezozz.exe
    1⤵
      PID:3552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zakjfdxx.41a.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/432-61-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/432-59-0x00000235E23B0000-0x00000235E23DB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/440-56-0x0000021A032A0000-0x0000021A032CB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/440-49-0x0000021A032A0000-0x0000021A032CB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/440-50-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-30-0x0000017569BA0000-0x0000017569BC4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/608-93-0x0000017569BD0000-0x0000017569BFB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/608-36-0x00007FFBDBE2D000-0x00007FFBDBE2E000-memory.dmp

      Filesize

      4KB

      Download

    • memory/668-37-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/944-46-0x0000015A225D0000-0x0000015A225FB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/944-41-0x0000015A225D0000-0x0000015A225FB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/944-51-0x00007FFBDBE2C000-0x00007FFBDBE2D000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1020-42-0x000002AE66700000-0x000002AE6672B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1020-48-0x000002AE66700000-0x000002AE6672B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1036-67-0x000001848DDD0000-0x000001848DDFB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1044-70-0x0000012141E90000-0x0000012141EBB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1116-78-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1164-91-0x00007FFBDBE2F000-0x00007FFBDBE30000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1164-86-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1248-116-0x000001DD37560000-0x000001DD3758B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1256-100-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-95-0x000001E875EE0000-0x000001E875F0B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1264-108-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1432-109-0x00007FFB9BE10000-0x00007FFB9BE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1432-111-0x0000021DB2090000-0x0000021DB20BB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3592-126-0x00007FFBBD7F0000-0x00007FFBBE2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3592-137-0x000001833B980000-0x000001833B990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3592-132-0x000001833B980000-0x000001833B990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3592-55-0x000001833B980000-0x000001833B990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3592-54-0x000001833B980000-0x000001833B990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3592-53-0x00007FFBBD7F0000-0x00007FFBBE2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4744-22-0x00007FFBDBD90000-0x00007FFBDBF85000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4744-18-0x0000000140000000-0x000000014002B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/4744-23-0x00007FFBDB630000-0x00007FFBDB6EE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4744-17-0x0000000140000000-0x000000014002B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/4840-12-0x0000018F783F0000-0x0000018F78400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4840-10-0x00007FFBBD920000-0x00007FFBBE3E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4840-0-0x0000018F5FF10000-0x0000018F5FF32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4840-11-0x0000018F783F0000-0x0000018F78400000-memory.dmp

      Filesize

      64KB

      Download