0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe
Size

668KB
MD5

d8292150c8ce862a97a923318df07805
SHA1

917f917ff9fe33e199388e5e1d4c0696882d2991
SHA256

0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9
SHA512

3f23dd72d066d3f09a49c5dcf062471cfd412cf65934c25887774c1060d2efa8cb277df5ffb89272c5cb1aab6498e3e82b9d6ec9725b5b7263de60cc9198d475
SSDEEP

6144:h0eD/NMpAte8M0Ic61arFbMAIhTRlDDHbndz+vTEEIeh+b6YzICrz/KiiUy5q7:C1B8g1arhMAURdndzQTEEI7b6Yz3m5W

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2444	PowerShell.exe
2444	Process not Found
3244	PowerShell.exe
3244	PowerShell.exe
3244	PowerShell.exe
4940	PowerShell.exe
4940	PowerShell.exe
4940	PowerShell.exe
952	PowerShell.exe
952	PowerShell.exe
952	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	2444	Process not Found
Token: SeSecurityPrivilege	2444	Process not Found
Token: SeTakeOwnershipPrivilege	2444	Process not Found
Token: SeLoadDriverPrivilege	2444	Process not Found
Token: SeSystemProfilePrivilege	2444	Process not Found
Token: SeSystemtimePrivilege	2444	Process not Found
Token: SeProfSingleProcessPrivilege	2444	Process not Found
Token: SeIncBasePriorityPrivilege	2444	Process not Found
Token: SeCreatePagefilePrivilege	2444	Process not Found
Token: SeBackupPrivilege	2444	Process not Found
Token: SeRestorePrivilege	2444	Process not Found
Token: SeShutdownPrivilege	2444	Process not Found
Token: SeDebugPrivilege	2444	Process not Found
Token: SeSystemEnvironmentPrivilege	2444	Process not Found
Token: SeRemoteShutdownPrivilege	2444	Process not Found
Token: SeUndockPrivilege	2444	Process not Found
Token: SeManageVolumePrivilege	2444	Process not Found
Token: 33	2444	Process not Found
Token: 34	2444	Process not Found
Token: 35	2444	Process not Found
Token: 36	2444	Process not Found
Token: SeDebugPrivilege	3244	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3244	PowerShell.exe
Token: SeSecurityPrivilege	3244	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3244	PowerShell.exe
Token: SeLoadDriverPrivilege	3244	PowerShell.exe
Token: SeSystemProfilePrivilege	3244	PowerShell.exe
Token: SeSystemtimePrivilege	3244	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3244	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3244	PowerShell.exe
Token: SeCreatePagefilePrivilege	3244	PowerShell.exe
Token: SeBackupPrivilege	3244	PowerShell.exe
Token: SeRestorePrivilege	3244	PowerShell.exe
Token: SeShutdownPrivilege	3244	PowerShell.exe
Token: SeDebugPrivilege	3244	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3244	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3244	PowerShell.exe
Token: SeUndockPrivilege	3244	PowerShell.exe
Token: SeManageVolumePrivilege	3244	PowerShell.exe
Token: 33	3244	PowerShell.exe
Token: 34	3244	PowerShell.exe
Token: 35	3244	PowerShell.exe
Token: 36	3244	PowerShell.exe
Token: SeDebugPrivilege	4940	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4940	PowerShell.exe
Token: SeSecurityPrivilege	4940	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4940	PowerShell.exe
Token: SeLoadDriverPrivilege	4940	PowerShell.exe
Token: SeSystemProfilePrivilege	4940	PowerShell.exe
Token: SeSystemtimePrivilege	4940	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4940	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4940	PowerShell.exe
Token: SeCreatePagefilePrivilege	4940	PowerShell.exe
Token: SeBackupPrivilege	4940	PowerShell.exe
Token: SeRestorePrivilege	4940	PowerShell.exe
Token: SeShutdownPrivilege	4940	PowerShell.exe
Token: SeDebugPrivilege	4940	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4940	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4940	PowerShell.exe
Token: SeUndockPrivilege	4940	PowerShell.exe
Token: SeManageVolumePrivilege	4940	PowerShell.exe
Token: 33	4940	PowerShell.exe
Token: 34	4940	PowerShell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe
4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4276	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	87
PID 4480 wrote to memory of 4276	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	87
PID 4480 wrote to memory of 4276	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	87
PID 4480 wrote to memory of 4436	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	92
PID 4480 wrote to memory of 4436	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	92
PID 4480 wrote to memory of 2444	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	94
PID 4480 wrote to memory of 2444	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	94
PID 4480 wrote to memory of 3244	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	103
PID 4480 wrote to memory of 3244	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	103
PID 4480 wrote to memory of 4940	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	105
PID 4480 wrote to memory of 4940	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	105
PID 4480 wrote to memory of 4360	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	106
PID 4480 wrote to memory of 4360	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	106
PID 4480 wrote to memory of 952	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	110
PID 4480 wrote to memory of 952	4480	0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe	110

C:\Users\Admin\AppData\Local\Temp\0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe
"C:\Users\Admin\AppData\Local\Temp\0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\netsh.exe
  netsh int tcp show supplemental
  2⤵
  PID:4276
- C:\Windows\SYSTEM32\netsh.exe
  netsh int ip show interfaces
  2⤵
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterLso -Name '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterChecksumOffload '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetTCPSetting -SettingName internet
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SYSTEM32\netsh.exe
  netsh int tcp show global
  2⤵
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetOffloadGlobalSetting
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
102406b0a9fd64f67b953e5acf0e3315

SHA1
f732473b214e87aba5c361d9b8dfac133911924e

SHA256
9504bfd6f7fb5db168a210a72ea150b9125e38b44396ae4915931e81f14cf06c

SHA512
94240a0cd429009266dd14ca88bb7c6b10691dbb78e8814de86aaa112ea533f65fd01dc81ee21c184c52d77185d96964d66425e5e86749c60383dd5a520b0c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
073102ed253446958d571dac1fefcd92

SHA1
7710ecc841aeb53b45b34474069830a7e1255cf0

SHA256
75020d4ee4ee38e686f2cbd0df8e7d27799b515c78b7d163092f0338dac3fdc2

SHA512
c48506cc218c1254da673ff5616cab960df4a7fa455c134f87987742fb68d803e890e94821f93cf5e6b1474f02f661933a62229f4892376070862ee4c2197642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5e780483392904de9187b42513ba13f

SHA1
0ff19035c5e7b8424eb17cfbf1d62865878cbd56

SHA256
092b8ec9f5d78720de63418e7fdab9d16425c51d6a4ade0f9dc984ffcee8a58d

SHA512
46be1bb2884f35ccc598b1de786cf7234b929b4f0927bbbc9f68b44dbb3658ac5fe089c07c8b10a9b31bd0b31f9a14ac8b0d5abd39a69380528893dcad923a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtagncju.vtm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/952-64-0x00007FFDA7F40000-0x00007FFDA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/952-50-0x00007FFDA7F40000-0x00007FFDA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/952-51-0x0000027B3FCF0000-0x0000027B3FD00000-memory.dmp

Filesize
64KB

Download
memory/952-52-0x0000027B3FCF0000-0x0000027B3FD00000-memory.dmp

Filesize
64KB

Download
memory/2444-14-0x000001396C7A0000-0x000001396C7B0000-memory.dmp

Filesize
64KB

Download
memory/2444-17-0x00007FFDA8310000-0x00007FFDA8DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-13-0x000001396C7A0000-0x000001396C7B0000-memory.dmp

Filesize
64KB

Download
memory/2444-12-0x00007FFDA8310000-0x00007FFDA8DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-7-0x000001396C6B0000-0x000001396C6D2000-memory.dmp

Filesize
136KB

Download
memory/3244-20-0x000001CFE4EB0000-0x000001CFE4EC0000-memory.dmp

Filesize
64KB

Download
memory/3244-33-0x00007FFDA8310000-0x00007FFDA8DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-28-0x000001CFE4EB0000-0x000001CFE4EC0000-memory.dmp

Filesize
64KB

Download
memory/3244-19-0x00007FFDA8310000-0x00007FFDA8DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-46-0x00000205F7130000-0x00000205F7140000-memory.dmp

Filesize
64KB

Download
memory/4940-47-0x00000205F7130000-0x00000205F7140000-memory.dmp

Filesize
64KB

Download
memory/4940-49-0x00007FFDA8310000-0x00007FFDA8DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-45-0x00000205F7130000-0x00000205F7140000-memory.dmp

Filesize
64KB

Download
memory/4940-44-0x00007FFDA8310000-0x00007FFDA8DD1000-memory.dmp

Filesize
10.8MB

Download