6b10d27057ed76774defb22dbe87dbd978199c17e7464b179e136a0170cc6af6

Resubmissions

10/03/2024, 21:46

240310-1m24yacd57 7

10/03/2024, 21:41

240310-1jymcacf7v 7

Analysis

max time kernel
453s
max time network
1177s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10/03/2024, 21:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SanPaliaSetup.exe
Size

42.3MB
MD5

788a3b5a25a4163995631e398ffe6b3a
SHA1

ab3ae4088d2f5730d557ef9bb475a79294e8e15c
SHA256

ef7e56975878c8f5f85849ad65ac74e0ae52bf1b25b0331844103c6548562cd9
SHA512

c2fa4d253ef7b760b1954e5bc84f98cdab04960907893890cdf941d198b30577c6649195c3cb49235a15b84c85ccdd72cbfaf2022a72a2b2ad9bc631a60c63fb
SSDEEP

393216:dyT3YGojrsBEnP4XrqSFM+FcrONRtgZJ93AEMQu58EISEhoIaE2FShMzTVA+BDEx:dWeBZ6QxhUDE56O26rsxcCvaZ

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
280	powershell.exe
280	powershell.exe
2300	powershell.exe
2300	powershell.exe
4944	powershell.exe
4944	powershell.exe
3896	powershell.exe
3896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2300	powershell.exe
Token: SeSecurityPrivilege	2300	powershell.exe
Token: SeTakeOwnershipPrivilege	2300	powershell.exe
Token: SeLoadDriverPrivilege	2300	powershell.exe
Token: SeSystemProfilePrivilege	2300	powershell.exe
Token: SeSystemtimePrivilege	2300	powershell.exe
Token: SeProfSingleProcessPrivilege	2300	powershell.exe
Token: SeIncBasePriorityPrivilege	2300	powershell.exe
Token: SeCreatePagefilePrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeRestorePrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeSystemEnvironmentPrivilege	2300	powershell.exe
Token: SeRemoteShutdownPrivilege	2300	powershell.exe
Token: SeUndockPrivilege	2300	powershell.exe
Token: SeManageVolumePrivilege	2300	powershell.exe
Token: 33	2300	powershell.exe
Token: 34	2300	powershell.exe
Token: 35	2300	powershell.exe
Token: 36	2300	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeIncreaseQuotaPrivilege	4944	powershell.exe
Token: SeSecurityPrivilege	4944	powershell.exe
Token: SeTakeOwnershipPrivilege	4944	powershell.exe
Token: SeLoadDriverPrivilege	4944	powershell.exe
Token: SeSystemProfilePrivilege	4944	powershell.exe
Token: SeSystemtimePrivilege	4944	powershell.exe
Token: SeProfSingleProcessPrivilege	4944	powershell.exe
Token: SeIncBasePriorityPrivilege	4944	powershell.exe
Token: SeCreatePagefilePrivilege	4944	powershell.exe
Token: SeBackupPrivilege	4944	powershell.exe
Token: SeRestorePrivilege	4944	powershell.exe
Token: SeShutdownPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeSystemEnvironmentPrivilege	4944	powershell.exe
Token: SeRemoteShutdownPrivilege	4944	powershell.exe
Token: SeUndockPrivilege	4944	powershell.exe
Token: SeManageVolumePrivilege	4944	powershell.exe
Token: 33	4944	powershell.exe
Token: 34	4944	powershell.exe
Token: 35	4944	powershell.exe
Token: 36	4944	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4848	2532	SanPaliaSetup.exe	82
PID 2532 wrote to memory of 4848	2532	SanPaliaSetup.exe	82
PID 4848 wrote to memory of 4356	4848	cmd.exe	84
PID 4848 wrote to memory of 4356	4848	cmd.exe	84
PID 2532 wrote to memory of 280	2532	SanPaliaSetup.exe	85
PID 2532 wrote to memory of 280	2532	SanPaliaSetup.exe	85
PID 2532 wrote to memory of 824	2532	SanPaliaSetup.exe	86
PID 2532 wrote to memory of 824	2532	SanPaliaSetup.exe	86
PID 2532 wrote to memory of 2300	2532	SanPaliaSetup.exe	87
PID 2532 wrote to memory of 2300	2532	SanPaliaSetup.exe	87
PID 280 wrote to memory of 716	280	powershell.exe	89
PID 280 wrote to memory of 716	280	powershell.exe	89
PID 716 wrote to memory of 4412	716	csc.exe	90
PID 716 wrote to memory of 4412	716	csc.exe	90
PID 2532 wrote to memory of 4944	2532	SanPaliaSetup.exe	92
PID 2532 wrote to memory of 4944	2532	SanPaliaSetup.exe	92
PID 2532 wrote to memory of 3896	2532	SanPaliaSetup.exe	95
PID 2532 wrote to memory of 3896	2532	SanPaliaSetup.exe	95

C:\Users\Admin\AppData\Local\Temp\SanPaliaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SanPaliaSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1f1kozo\k1f1kozo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6448.tmp" "c:\Users\Admin\AppData\Local\Temp\k1f1kozo\CSCB3D8E36390B34C8394BCDCB23E3D5F6.TMP"
      4⤵
      PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
6adc55ee9f00a634bb2a095fc0b54aba

SHA1
8e525f4a05e29bda135d88d0a483561651c75640

SHA256
c5ab4b17bc2c2732dca60de2da485d48c4b1948636cabc771f574a084eaa9023

SHA512
e5ce3f5ecaa54ed62b639f6a867b89dfe2683985c07f6ee910b1b36d973729fc3d20191fdb2ce6993bf32e06abdf60c825904b2c5a33decd051e13bd1fc11949

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6448.tmp

Filesize
1KB

MD5
707663d766b2d51bd22827fb84b4b3fd

SHA1
fe34768aff7eb3720ac924c311ff4c56767aa595

SHA256
0e9247f9e8ff22870e8bf868b1539367ed519a40c810205fe94069d98c4d8a4f

SHA512
734995fd0a9d02552493e10d7e10f3712d4df53ed54f9be988296c781f7162b7085ea163e34c085fe0ec4bbc90f80e0226b7b99f146f201bbb0689ae1c5b21f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ibyylh1.eb1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1f1kozo\k1f1kozo.dll

Filesize
3KB

MD5
08c0d19e13f9392168214aa80ea65284

SHA1
cf9c3ec5ddf7384a0d16f3de65b69a6223d8f5c9

SHA256
bdefb71e62f351a07e55cb24ac583f968f64023bf1f835642a7649b2344e2994

SHA512
a5bf041192dd59a5bf99cb1d5c8c16c6ccbc69ef26dd6215b57003f18207579d4d2532c0bb29b3c8a1c0c32f79574445ebeedce4c0b596361333f5a9f23a469f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k1f1kozo\CSCB3D8E36390B34C8394BCDCB23E3D5F6.TMP

Filesize
652B

MD5
30f66e89280d128a877354953b5b776f

SHA1
d74fd17f3d16f005ef901e7ef53e464a2c5afe86

SHA256
a7d3d9a9ee2889d58507661f41b9f8d437d12cd43491ed903538fd9451ceee47

SHA512
983053e668d9a22d958fa7c1f929b6eb8dcdc525635910752c2e9f744d5be629c598384acd7df49e2efba4b72f5941c20f435cc4f49030586c10697723075968

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k1f1kozo\k1f1kozo.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k1f1kozo\k1f1kozo.cmdline

Filesize
369B

MD5
58c5e44835001cdbfc0606f7c6544bfa

SHA1
50b6aa088a84ff8b0b2b8a69a454f344b61cbd7f

SHA256
0c5feef1bbde9d358d7c24219928d3697bc8a3c8dec3176da4a1f6f9499651b8

SHA512
3c9a3412e8b40aacec81f4bd0b1eebd0b622d7d8b42492e9bc0c79c33e9dd185c897533134b57d26d8ea700e6e5981123c5f83aba99827f89ee419ef5394bd31

Download Submit
memory/280-28-0x00000205A3B00000-0x00000205A3B10000-memory.dmp

Filesize
64KB

Download
memory/280-50-0x00007FFCFAEB0000-0x00007FFCFB972000-memory.dmp

Filesize
10.8MB

Download
memory/280-12-0x00000205A3A60000-0x00000205A3A82000-memory.dmp

Filesize
136KB

Download
memory/280-22-0x00007FFCFAEB0000-0x00007FFCFB972000-memory.dmp

Filesize
10.8MB

Download
memory/280-23-0x00000205A3B00000-0x00000205A3B10000-memory.dmp

Filesize
64KB

Download
memory/280-24-0x00000205A3B00000-0x00000205A3B10000-memory.dmp

Filesize
64KB

Download
memory/280-45-0x000002058B420000-0x000002058B428000-memory.dmp

Filesize
32KB

Download
memory/2300-55-0x00007FFCFAEB0000-0x00007FFCFB972000-memory.dmp

Filesize
10.8MB

Download
memory/2300-25-0x00007FFCFAEB0000-0x00007FFCFB972000-memory.dmp

Filesize
10.8MB

Download
memory/2300-26-0x00000164FD2C0000-0x00000164FD2D0000-memory.dmp

Filesize
64KB

Download
memory/2300-27-0x00000164FD2C0000-0x00000164FD2D0000-memory.dmp

Filesize
64KB

Download
memory/2300-33-0x00000164FD490000-0x00000164FD4D6000-memory.dmp

Filesize
280KB

Download
memory/2300-39-0x00000164FD840000-0x00000164FD864000-memory.dmp

Filesize
144KB

Download
memory/2300-36-0x00000164FD840000-0x00000164FD86A000-memory.dmp

Filesize
168KB

Download
memory/3896-77-0x000002214FD90000-0x000002214FDA0000-memory.dmp

Filesize
64KB

Download
memory/3896-75-0x00007FFCFB0C0000-0x00007FFCFBB82000-memory.dmp

Filesize
10.8MB

Download
memory/3896-76-0x000002214FD90000-0x000002214FDA0000-memory.dmp

Filesize
64KB

Download
memory/3896-87-0x000002214FD90000-0x000002214FDA0000-memory.dmp

Filesize
64KB

Download
memory/3896-91-0x00007FFCFB0C0000-0x00007FFCFBB82000-memory.dmp

Filesize
10.8MB

Download
memory/4944-67-0x000002127A250000-0x000002127A260000-memory.dmp

Filesize
64KB

Download
memory/4944-69-0x000002127A250000-0x000002127A260000-memory.dmp

Filesize
64KB

Download
memory/4944-73-0x00007FFCFAEB0000-0x00007FFCFB972000-memory.dmp

Filesize
10.8MB

Download
memory/4944-68-0x000002127A250000-0x000002127A260000-memory.dmp

Filesize
64KB

Download
memory/4944-66-0x00007FFCFAEB0000-0x00007FFCFB972000-memory.dmp

Filesize
10.8MB

Download