a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2

Reason

Machine shutdown

General

Target

PowerRun.exe
Size

873KB
MD5

fc1fb033d57f72089fb4762245a8b18d
SHA1

7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e
SHA256

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2
SHA512

cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0
SSDEEP

24576:g2DW/xbWX2YIb3Qsu3/PNL3Q7HybtTpAA+c:g2EaXSQsW/PNjQLY9ARc

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20240221135140.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0d7a81ecd64da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2164	PowerRun.exe
2764	PowerRun.exe
2764	PowerRun.exe
2572	PowerRun.exe
2572	PowerRun.exe
2180	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2164	PowerRun.exe
960	PowerRun.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2764	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2764	PowerRun.exe
Token: 0	2764	PowerRun.exe
Token: SeDebugPrivilege	2572	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2572	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2572	PowerRun.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeShutdownPrivilege	1056	shutdown.exe
Token: SeRemoteShutdownPrivilege	1056	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2764	2164	PowerRun.exe	28
PID 2164 wrote to memory of 2764	2164	PowerRun.exe	28
PID 2164 wrote to memory of 2764	2164	PowerRun.exe	28
PID 960 wrote to memory of 2180	960	PowerRun.exe	34
PID 960 wrote to memory of 2180	960	PowerRun.exe	34
PID 960 wrote to memory of 2180	960	PowerRun.exe	34
PID 2180 wrote to memory of 1056	2180	powershell.exe	38
PID 2180 wrote to memory of 1056	2180	powershell.exe	38
PID 2180 wrote to memory of 1056	2180	powershell.exe	38

C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\PowerRun.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
  "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe" /P:393498
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe" /P:393498
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
      "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe" /TI/ /P:393498
      4⤵
      Modifies data under HKEY_USERS
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        5⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\system32\shutdown.exe
        
        "C:\Windows\system32\shutdown.exe" /s
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240221135140.log C:\Windows\Logs\CBS\CbsPersist_20240221135140.cab
1⤵
- Drops file in Windows directory
PID:2544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2j1l6v4d.tmp

Filesize
28KB

MD5
9e7bb9c31083cc3a0f561d12311c9d83

SHA1
9102b88339566d5f0490c25180632043c8bb1809

SHA256
2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1

SHA512
1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowerRun.ini

Filesize
3KB

MD5
0440ccc33632c47e92d99f69419c0d31

SHA1
59206d53e3714f6e2c52dbe0f5f05ff2ac65e595

SHA256
1acc15721dd6e286345bcdbbf2ea7479ac75e47eb5118a2725fed7e80295f476

SHA512
ce237920a5c1a7c061f891ae6747d441330ba1d75ad90425907f1523aa2e5790b9aded3ee76cc7e02694ff962ffcd205b68bd1540d4b910715ebb39777eb2939

Download Submit
C:\Windows\Temp\0hgc9c6e.tmp

Filesize
28KB

MD5
1524a28cbc30e70c60bc6cf977f82229

SHA1
664f15cea146b654ec4a60c76071ff83c4dfa651

SHA256
8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b

SHA512
7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50

Download Submit
C:\Windows\Temp\aut98F5.tmp

Filesize
11KB

MD5
4a83df1d945c2f5801ed59650d7460eb

SHA1
31827890e1df99268c0f80dcb26774225e4c3a5d

SHA256
2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8

SHA512
eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

Download Submit
C:\Windows\Temp\aut9906.tmp

Filesize
10KB

MD5
09ca17eb552722bd7004097f59b07518

SHA1
36cf9da188460542e58acb97fa0ef0bfd9a4e172

SHA256
365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b

SHA512
3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

Download Submit
C:\Windows\Temp\aut9907.tmp

Filesize
5KB

MD5
96c0e61f3298cb745b021f67e7dd0d48

SHA1
a61adbe460c68a3087ff1ba75620dbb86af28e40

SHA256
3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333

SHA512
dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

Download Submit
memory/1364-152-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2180-132-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2180-133-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2180-131-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/2180-130-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-134-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-135-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2180-136-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-148-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2180-149-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2180-150-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2180-129-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/2444-154-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors