Overview

overview

8

Static

static

1

69ba83fdc3...23.exe

windows7-x64

7

69ba83fdc3...23.exe

windows10-2004-x64

3

Malemutes/...nt.ps1

windows7-x64

8

Malemutes/...nt.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 02:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malemutes/Nonprecedent.ps1

  • Size

    52KB

  • MD5

    d70cc7a86c607e5511048fe2b3242bf9

  • SHA1

    7533500bfb680dc5fcea3e37fd2eca0385990376

  • SHA256

    9be2c4093ac767d9ec1aa035a7a8139fac9347068f303e1ef583b4d1f8dedd2b

  • SHA512

    05052e82d38f94ff7eb6ed89a7fd9041c20d03eba7d6d193c3fe85c628605c70fa8cb2dbb1e44ee721c8143bbcb6e5caf72c24acb134628d967e757b18d158ff

  • SSDEEP

    768:U2QEBkOK0lDYsewm+sJ1IpcWeTsoacVjEiaiEpacvbFDchyck95ipSDqgSVP:H+0lDYqZsbwxrcVjWircjkzk95ip7P

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Malemutes\Nonprecedent.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2920
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "2228" "1124"
        2⤵
          PID:2568
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259402442.txt
        Filesize

        1KB

        MD5

        c7dd07456dfb255b776c93e585ebc226

        SHA1

        19d94f641b43705585180ad4f3e4dfa651af2773

        SHA256

        3c653069449c30357fb5e1565cb33379f17678762d0508cd0dbbda52b365abfd

        SHA512

        615a5b573ffb8cf04ed9114154feaaf810263b60356179ffeda4fd4e7e47fe18a621198ea12ac3e36b564e21e09197960a9f80803682b7624f73d94c3f2dae48

        Download Submit

      • memory/2228-13-0x0000000002B00000-0x0000000002B80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2228-17-0x0000000002B00000-0x0000000002B80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2228-7-0x0000000002B00000-0x0000000002B80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2228-9-0x0000000002B00000-0x0000000002B80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2228-8-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2228-10-0x0000000002B00000-0x0000000002B80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2228-6-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2228-5-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2228-12-0x0000000002B00000-0x0000000002B80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2228-16-0x00000000029B0000-0x00000000029B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2228-4-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2228-18-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2708-19-0x0000000004570000-0x0000000004571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2708-20-0x0000000004570000-0x0000000004571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2708-24-0x0000000002960000-0x0000000002970000-memory.dmp

        Filesize

        64KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.