e9317532eb94a2dcfe16a943f6c29d4d9a4cd2d780814b4b16dcdf6a79be446c

Resubmissions

17-01-2024 18:54

240117-xkjyssdcf4 8

17-01-2024 18:40

240117-xbebyscefm 8

Analysis

max time kernel
132s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
17-01-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f.appx
Size

135.6MB
MD5

e347a58cf88cc6f686207d30d2e3db65
SHA1

8b24338138775079f8fdd85366fed7598a9f288d
SHA256

efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f
SHA512

d9347486a247e40f53b27270bca7afa29b428236be514d5261a19115226dc07de776c84fa6b0d0150f6e7d5d8bdfadba0da2d9ec9c6a5ca1d2a17943ebcadc43
SSDEEP

3145728:YZXsiKRnMfIcYNVZiTeoVu1uX7rAUMg47zNO0SPo8Z1Z4wX1JfSbmbd3d:Y9ontcyVZiamAuLX947xOj1Z4wlQbw

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	4060	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	VC_redist.x86.exe

Loads dropped DLL 1 IoCs

pid	Process
3032	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe
2664	Powershell.exe
2664	Powershell.exe
4060	powershell.exe
4060	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	2664	Powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2904	848	AiStubX86.exe	85
PID 848 wrote to memory of 2904	848	AiStubX86.exe	85
PID 848 wrote to memory of 2904	848	AiStubX86.exe	85
PID 848 wrote to memory of 2664	848	AiStubX86.exe	84
PID 848 wrote to memory of 2664	848	AiStubX86.exe	84
PID 848 wrote to memory of 2664	848	AiStubX86.exe	84
PID 848 wrote to memory of 2664	848	AiStubX86.exe	84
PID 848 wrote to memory of 2664	848	AiStubX86.exe	84
PID 2664 wrote to memory of 4060	2664	Powershell.exe	86
PID 2664 wrote to memory of 4060	2664	Powershell.exe	86
PID 2664 wrote to memory of 4060	2664	Powershell.exe	86
PID 2664 wrote to memory of 4060	2664	Powershell.exe	86
PID 2664 wrote to memory of 4060	2664	Powershell.exe	86
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 848 wrote to memory of 4924	848	AiStubX86.exe	87
PID 4924 wrote to memory of 3032	4924	VC_redist.x86.exe	88
PID 4924 wrote to memory of 3032	4924	VC_redist.x86.exe	88
PID 4924 wrote to memory of 3032	4924	VC_redist.x86.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\Midjourney.Midjourney_jqzvp2n7sb70p!VCredist.x86.exe
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\AI_STUBS\AiStubX86.exe
"C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\AI_STUBS\AiStubX86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\refresh.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\refresh.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- C:\Windows\SysWOW64\xcopy.exe
  "xcopy.exe" "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VFS\AppData" "C:\Users\Admin\AppData\Local\Packages\Midjourney.Midjourney_jqzvp2n7sb70p\LocalCache\Roaming" /e /s /y /c /h /q /i /k
  2⤵
  - Enumerates system info in registry
  PID:2904
- C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VC_redist.x86.exe
  "VC_redist.x86.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\Temp\{1B141489-D3CC-408D-BEFF-92B1B9883D7D}\.cr\VC_redist.x86.exe
    "C:\Windows\Temp\{1B141489-D3CC-408D-BEFF-92B1B9883D7D}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VC_redist.x86.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
80cf23522198a93d6de41b2f91acf23b

SHA1
9d6d9eb2a71639363248bf3052154e2a4bde3b7b

SHA256
9c55b5a7633a79e9e778101acb1b5c16e15d8c20a3a0ce187c745eac64c3898a

SHA512
8c20dee79b3ef8a3b179476d6e7fcda00e9a512c4897c7219196c02d2ab01b47934f36ef4bbcc66184538b93042eabc7be03a6ab26d78c5f62d83c95c020daee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gybi0qy3.dip.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/848-105-0x0000000075720000-0x0000000075810000-memory.dmp

Filesize
960KB

Download
memory/848-17-0x000000006D740000-0x000000006D750000-memory.dmp

Filesize
64KB

Download
memory/848-18-0x0000000075720000-0x0000000075810000-memory.dmp

Filesize
960KB

Download
memory/2664-33-0x0000000006660000-0x00000000069B7000-memory.dmp

Filesize
3.3MB

Download
memory/2664-35-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download
memory/2664-54-0x00000000740D0000-0x0000000074881000-memory.dmp

Filesize
7.7MB

Download
memory/2664-37-0x0000000008480000-0x0000000008AFA000-memory.dmp

Filesize
6.5MB

Download
memory/2664-20-0x00000000740D0000-0x0000000074881000-memory.dmp

Filesize
7.7MB

Download
memory/2664-19-0x00000000056B0000-0x00000000056E6000-memory.dmp

Filesize
216KB

Download
memory/2664-21-0x0000000006030000-0x000000000665A000-memory.dmp

Filesize
6.2MB

Download
memory/2664-23-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/2664-24-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/2664-38-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/2664-22-0x0000000005DB0000-0x0000000005DD2000-memory.dmp

Filesize
136KB

Download
memory/2664-36-0x0000000006B90000-0x0000000006BDC000-memory.dmp

Filesize
304KB

Download
memory/4060-39-0x00000000740D0000-0x0000000074881000-memory.dmp

Filesize
7.7MB

Download
memory/4060-50-0x00000000740D0000-0x0000000074881000-memory.dmp

Filesize
7.7MB

Download
memory/4372-14-0x00007FFC1B170000-0x00007FFC1BC32000-memory.dmp

Filesize
10.8MB

Download
memory/4372-5-0x000001D4392C0000-0x000001D4392E2000-memory.dmp

Filesize
136KB

Download
memory/4372-11-0x000001D439250000-0x000001D439260000-memory.dmp

Filesize
64KB

Download
memory/4372-10-0x000001D439250000-0x000001D439260000-memory.dmp

Filesize
64KB

Download
memory/4372-12-0x000001D439250000-0x000001D439260000-memory.dmp

Filesize
64KB

Download
memory/4372-9-0x00007FFC1B170000-0x00007FFC1BC32000-memory.dmp

Filesize
10.8MB

Download
memory/4924-55-0x000000006D740000-0x000000006D750000-memory.dmp

Filesize
64KB

Download
memory/4924-56-0x0000000075720000-0x0000000075810000-memory.dmp

Filesize
960KB

Download
memory/4924-106-0x0000000075720000-0x0000000075810000-memory.dmp

Filesize
960KB

Download