105137f7201a737456f865513fbf14e64ac16facad90b4cb6c314ac765ea302f

Analysis

max time kernel
161s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab925e1b611041799e0eb3e123ff2c6.exe
Size

3.8MB
MD5

2ab925e1b611041799e0eb3e123ff2c6
SHA1

24828bee2c9f911a62dd07d085059436fcda7866
SHA256

105137f7201a737456f865513fbf14e64ac16facad90b4cb6c314ac765ea302f
SHA512

573e951cc2bb591c8529a70ba84a9e2c535c4d8e31b04bc31e7d81795e2ad404241b910344127535f616c5415c271a8166cbfc455df2a4e018110f568ef052b8
SSDEEP

98304:pqFbd9jWsKXaLj33cbC7p68b0GDaCoPTEt0NcQGojg:wFbd9jWPAjMbIbVDMTEtOclB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	2ab925e1b611041799e0eb3e123ff2c6.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
3704	tasklist.exe
4964	tasklist.exe
1972	tasklist.exe
5048	tasklist.exe
4688	tasklist.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	98	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	powershell.exe
1420	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3704	tasklist.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeDebugPrivilege	5048	tasklist.exe
Token: SeDebugPrivilege	4688	tasklist.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2380	2196	2ab925e1b611041799e0eb3e123ff2c6.exe	91
PID 2196 wrote to memory of 2380	2196	2ab925e1b611041799e0eb3e123ff2c6.exe	91
PID 2196 wrote to memory of 2380	2196	2ab925e1b611041799e0eb3e123ff2c6.exe	91
PID 2380 wrote to memory of 1248	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	94
PID 2380 wrote to memory of 1248	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	94
PID 2380 wrote to memory of 1248	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	94
PID 1248 wrote to memory of 1420	1248	cmd.exe	96
PID 1248 wrote to memory of 1420	1248	cmd.exe	96
PID 1248 wrote to memory of 1420	1248	cmd.exe	96
PID 2380 wrote to memory of 3516	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	111
PID 2380 wrote to memory of 3516	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	111
PID 2380 wrote to memory of 3516	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	111
PID 3516 wrote to memory of 4484	3516	cmd.exe	113
PID 3516 wrote to memory of 4484	3516	cmd.exe	113
PID 3516 wrote to memory of 4484	3516	cmd.exe	113
PID 4484 wrote to memory of 3704	4484	cmd.exe	114
PID 4484 wrote to memory of 3704	4484	cmd.exe	114
PID 4484 wrote to memory of 3704	4484	cmd.exe	114
PID 2380 wrote to memory of 4156	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	115
PID 2380 wrote to memory of 4156	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	115
PID 2380 wrote to memory of 4156	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	115
PID 4156 wrote to memory of 4440	4156	cmd.exe	117
PID 4156 wrote to memory of 4440	4156	cmd.exe	117
PID 4156 wrote to memory of 4440	4156	cmd.exe	117
PID 4440 wrote to memory of 4964	4440	cmd.exe	118
PID 4440 wrote to memory of 4964	4440	cmd.exe	118
PID 4440 wrote to memory of 4964	4440	cmd.exe	118
PID 2380 wrote to memory of 4556	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	119
PID 2380 wrote to memory of 4556	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	119
PID 2380 wrote to memory of 4556	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	119
PID 4556 wrote to memory of 2356	4556	cmd.exe	121
PID 4556 wrote to memory of 2356	4556	cmd.exe	121
PID 4556 wrote to memory of 2356	4556	cmd.exe	121
PID 2356 wrote to memory of 1972	2356	cmd.exe	122
PID 2356 wrote to memory of 1972	2356	cmd.exe	122
PID 2356 wrote to memory of 1972	2356	cmd.exe	122
PID 2380 wrote to memory of 4804	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	123
PID 2380 wrote to memory of 4804	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	123
PID 2380 wrote to memory of 4804	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	123
PID 4804 wrote to memory of 3120	4804	cmd.exe	125
PID 4804 wrote to memory of 3120	4804	cmd.exe	125
PID 4804 wrote to memory of 3120	4804	cmd.exe	125
PID 3120 wrote to memory of 5048	3120	cmd.exe	126
PID 3120 wrote to memory of 5048	3120	cmd.exe	126
PID 3120 wrote to memory of 5048	3120	cmd.exe	126
PID 2380 wrote to memory of 4528	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	128
PID 2380 wrote to memory of 4528	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	128
PID 2380 wrote to memory of 4528	2380	2ab925e1b611041799e0eb3e123ff2c6.tmp	128
PID 4528 wrote to memory of 2536	4528	cmd.exe	129
PID 4528 wrote to memory of 2536	4528	cmd.exe	129
PID 4528 wrote to memory of 2536	4528	cmd.exe	129
PID 2536 wrote to memory of 4688	2536	cmd.exe	130
PID 2536 wrote to memory of 4688	2536	cmd.exe	130
PID 2536 wrote to memory of 4688	2536	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe
"C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\is-NL80R.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NL80R.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp" /SL5="$601EA,3271290,56832,C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1ul1xxb.wbh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\CheckProc.cmd

Filesize
128B

MD5
dae8768bbb8a4fddc4dca8eae7c4d65f

SHA1
385ffb932fcff489392536d62e291ed9e0beea98

SHA256
ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf

SHA512
492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\CheckProc.cmd

Filesize
128B

MD5
6a745081c62a706c014a876f45b5a56b

SHA1
25f17fcc50dd202d2381c00970e2dc04c2ad9707

SHA256
e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c

SHA512
a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\CheckProc.cmd

Filesize
118B

MD5
f0315949ccc3d22d958503f5735cfbcc

SHA1
883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0

SHA256
201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d

SHA512
aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\CheckProc.cmd

Filesize
126B

MD5
110d64c0e450ff59542f81690a2d53b7

SHA1
7f2e989deb095a0530792989e5fa9d7279d5f3e7

SHA256
735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e

SHA512
00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\CheckProc.cmd

Filesize
126B

MD5
8fec1ab28e8ee7394915990458fb85dc

SHA1
c70e183a783a9621cd64584de99f8163deb40872

SHA256
b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd

SHA512
c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\ex.bat

Filesize
786B

MD5
de1d518019c723049726577333a9bf30

SHA1
097b2c40add6c1b18bb88984a25cf106fd2eb42b

SHA256
54deadc32e0667cd931fc4de2c6eb4795375145f0b651bfc33323156a5a37191

SHA512
104e3f2454dbf7b6cb1ecb8dfac1cc9598d110c8d7cfa24c4661019373ae5d80f08848572899debb1b9bfae645685275a88b9eae99b36f9a46678148ebdc6c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NL80R.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/1420-21-0x0000000002A40000-0x0000000002A76000-memory.dmp

Filesize
216KB

Download
memory/1420-56-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1420-17-0x0000000073B00000-0x00000000742B0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-27-0x0000000073B00000-0x00000000742B0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-29-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/1420-31-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1420-32-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/1420-33-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1420-34-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/1420-20-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1420-42-0x0000000005AE0000-0x0000000005E34000-memory.dmp

Filesize
3.3MB

Download
memory/1420-51-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/1420-52-0x0000000006120000-0x000000000616C000-memory.dmp

Filesize
304KB

Download
memory/1420-22-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/1420-57-0x00000000071A0000-0x0000000007236000-memory.dmp

Filesize
600KB

Download
memory/1420-59-0x00000000066A0000-0x00000000066BA000-memory.dmp

Filesize
104KB

Download
memory/1420-60-0x0000000006610000-0x0000000006632000-memory.dmp

Filesize
136KB

Download
memory/1420-61-0x00000000077F0000-0x0000000007D94000-memory.dmp

Filesize
5.6MB

Download
memory/1420-66-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1420-69-0x0000000008420000-0x0000000008A9A000-memory.dmp

Filesize
6.5MB

Download
memory/1420-73-0x0000000073B00000-0x00000000742B0000-memory.dmp

Filesize
7.7MB

Download
memory/2196-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2380-24-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2380-79-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-15-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2380-8-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download