bc3403acdc34ff63ce56b3fd20788693259b8af09cf7e28533f112b1486efaff

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BntEmulato2DXQX.exe
Size

42.3MB
MD5

99b1050c6b75e4f006f5a7b96d8836d7
SHA1

2f11324855d621c5f649bb0db18bc012f8653b0f
SHA256

bc3403acdc34ff63ce56b3fd20788693259b8af09cf7e28533f112b1486efaff
SHA512

31e15ab9ae80aec06d8ecddfd7d03b7816cb83ebe868edf5400e65c30069b8269314015503077bff31b85cfdedf1f3312551113fd02ff3538d7b92a1843f888a
SSDEEP

393216:1yT3YGojrsBEnP4XrqSFM+FcrONRtgZJ93AEMQu58EISEhoIaE2FShMzTVA+BDEp:1WeBZ6QxhUDE5YO26rsxcpqiRh

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1780	powershell.exe
4860	powershell.exe
4860	powershell.exe
1780	powershell.exe
3680	powershell.exe
3680	powershell.exe
4300	powershell.exe
4300	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1780	powershell.exe
Token: SeSecurityPrivilege	1780	powershell.exe
Token: SeTakeOwnershipPrivilege	1780	powershell.exe
Token: SeLoadDriverPrivilege	1780	powershell.exe
Token: SeSystemProfilePrivilege	1780	powershell.exe
Token: SeSystemtimePrivilege	1780	powershell.exe
Token: SeProfSingleProcessPrivilege	1780	powershell.exe
Token: SeIncBasePriorityPrivilege	1780	powershell.exe
Token: SeCreatePagefilePrivilege	1780	powershell.exe
Token: SeBackupPrivilege	1780	powershell.exe
Token: SeRestorePrivilege	1780	powershell.exe
Token: SeShutdownPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeSystemEnvironmentPrivilege	1780	powershell.exe
Token: SeRemoteShutdownPrivilege	1780	powershell.exe
Token: SeUndockPrivilege	1780	powershell.exe
Token: SeManageVolumePrivilege	1780	powershell.exe
Token: 33	1780	powershell.exe
Token: 34	1780	powershell.exe
Token: 35	1780	powershell.exe
Token: 36	1780	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeIncreaseQuotaPrivilege	3680	powershell.exe
Token: SeSecurityPrivilege	3680	powershell.exe
Token: SeTakeOwnershipPrivilege	3680	powershell.exe
Token: SeLoadDriverPrivilege	3680	powershell.exe
Token: SeSystemProfilePrivilege	3680	powershell.exe
Token: SeSystemtimePrivilege	3680	powershell.exe
Token: SeProfSingleProcessPrivilege	3680	powershell.exe
Token: SeIncBasePriorityPrivilege	3680	powershell.exe
Token: SeCreatePagefilePrivilege	3680	powershell.exe
Token: SeBackupPrivilege	3680	powershell.exe
Token: SeRestorePrivilege	3680	powershell.exe
Token: SeShutdownPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeSystemEnvironmentPrivilege	3680	powershell.exe
Token: SeRemoteShutdownPrivilege	3680	powershell.exe
Token: SeUndockPrivilege	3680	powershell.exe
Token: SeManageVolumePrivilege	3680	powershell.exe
Token: 33	3680	powershell.exe
Token: 34	3680	powershell.exe
Token: 35	3680	powershell.exe
Token: 36	3680	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	4300	powershell.exe
Token: SeSecurityPrivilege	4300	powershell.exe
Token: SeTakeOwnershipPrivilege	4300	powershell.exe
Token: SeLoadDriverPrivilege	4300	powershell.exe
Token: SeSystemProfilePrivilege	4300	powershell.exe
Token: SeSystemtimePrivilege	4300	powershell.exe
Token: SeProfSingleProcessPrivilege	4300	powershell.exe
Token: SeIncBasePriorityPrivilege	4300	powershell.exe
Token: SeCreatePagefilePrivilege	4300	powershell.exe
Token: SeBackupPrivilege	4300	powershell.exe
Token: SeRestorePrivilege	4300	powershell.exe
Token: SeShutdownPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeSystemEnvironmentPrivilege	4300	powershell.exe
Token: SeRemoteShutdownPrivilege	4300	powershell.exe
Token: SeUndockPrivilege	4300	powershell.exe
Token: SeManageVolumePrivilege	4300	powershell.exe
Token: 33	4300	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1428	4748	BntEmulato2DXQX.exe	89
PID 4748 wrote to memory of 1428	4748	BntEmulato2DXQX.exe	89
PID 1428 wrote to memory of 4196	1428	cmd.exe	92
PID 1428 wrote to memory of 4196	1428	cmd.exe	92
PID 4748 wrote to memory of 4860	4748	BntEmulato2DXQX.exe	93
PID 4748 wrote to memory of 4860	4748	BntEmulato2DXQX.exe	93
PID 4748 wrote to memory of 396	4748	BntEmulato2DXQX.exe	94
PID 4748 wrote to memory of 396	4748	BntEmulato2DXQX.exe	94
PID 4748 wrote to memory of 1780	4748	BntEmulato2DXQX.exe	95
PID 4748 wrote to memory of 1780	4748	BntEmulato2DXQX.exe	95
PID 4860 wrote to memory of 212	4860	powershell.exe	97
PID 4860 wrote to memory of 212	4860	powershell.exe	97
PID 212 wrote to memory of 3324	212	csc.exe	99
PID 212 wrote to memory of 3324	212	csc.exe	99
PID 4748 wrote to memory of 3680	4748	BntEmulato2DXQX.exe	101
PID 4748 wrote to memory of 3680	4748	BntEmulato2DXQX.exe	101
PID 4748 wrote to memory of 4300	4748	BntEmulato2DXQX.exe	104
PID 4748 wrote to memory of 4300	4748	BntEmulato2DXQX.exe	104

C:\Users\Admin\AppData\Local\Temp\BntEmulato2DXQX.exe
"C:\Users\Admin\AppData\Local\Temp\BntEmulato2DXQX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bembkqlv\bembkqlv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FB8.tmp" "c:\Users\Admin\AppData\Local\Temp\bembkqlv\CSCD8EF8DDCA91E4E9683EE18541608029.TMP"
      4⤵
      PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
964e8966b65fac9964114570b0b18dc7

SHA1
4f995589cbdb1f80470aa4ffb471ec8fea9df108

SHA256
95ff3e06c431632ceb029775d38f6d7f30eca96fff7baead6902db820a4e7b62

SHA512
164916f5ae026c59c219e1d42d726be4eb076367b169ec39435c6e6a7d25e4c7312cc228b7713a478c23fbdd3135f2ba94383f084f0874adc0b89ae58143fdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3FB8.tmp

Filesize
1KB

MD5
b3f67a689da5734d7534be56857ebcdb

SHA1
6ab4a33e4566c5de178446754d94e16911159004

SHA256
29896e528e261c7c667dfb091fa61252ede8db8d61fbfae4a8a73e7a0acd9c83

SHA512
5e65947aaec5d47ae2ca2260969de29b8e946099d51d22556cb02f62b61325480f70583a892409d6113c44927ba49a253eb2f0f3b0f8b5d6b82d53f3e2fb17dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4e5len1.lhg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bembkqlv\bembkqlv.dll

Filesize
3KB

MD5
12ac048d6d3756fe95f3b3f032c872bd

SHA1
0d29bdce4ba196e216b4746dcf7e54fe4ce745b4

SHA256
da489702d89b24bf38cc778431a9601c6f5cd492da0acd26844bda288fa5f416

SHA512
617b97a5ec3cf90af8af1da39f6aa7581a42789bf3a2b8e9326aadfd067a4ebcfc8b9b93bb9e78584b0fc88c649550e784dd17fb267eb4a1660e7649fce19282

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bembkqlv\CSCD8EF8DDCA91E4E9683EE18541608029.TMP

Filesize
652B

MD5
69483673331ee7293c0fb54e30d4fa38

SHA1
1b45e02a9f8c236520b09ae8ab497ed2deedea7e

SHA256
61ba080836ebeff7f13cc89102bcf66b883eda2fb6fb6a01954b6175f35fb878

SHA512
297631e79dbfbe1ba824ae6d88f1f4cee5d75158f5460d71f220fb219ef0e5238680b5611947ee82684b418971d0605bfd49f9b80f57234dabde9d9761e50a6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bembkqlv\bembkqlv.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bembkqlv\bembkqlv.cmdline

Filesize
369B

MD5
c50beec35cfb2412bcf1f43220578cfc

SHA1
28373e3600aea4a25902edbb7c58b3ee0dfc2ff1

SHA256
8518b9fcb84271ae11647550942ee7436f6142dc8124678036328ae8348d2875

SHA512
bf8975b197f28c67533a3ac876d557c2fa1092105baddb661a10d2bc0fc79505f53100e12b2caf6c3768cab62648c174c2cf406a80ca5132096d507a5803d605

Download Submit
memory/1780-29-0x000001EA730B0000-0x000001EA730C0000-memory.dmp

Filesize
64KB

Download
memory/1780-32-0x000001EA75660000-0x000001EA756A4000-memory.dmp

Filesize
272KB

Download
memory/1780-36-0x000001EA75730000-0x000001EA757A6000-memory.dmp

Filesize
472KB

Download
memory/1780-54-0x000001EA730B0000-0x000001EA730C0000-memory.dmp

Filesize
64KB

Download
memory/1780-5-0x000001EA73050000-0x000001EA73072000-memory.dmp

Filesize
136KB

Download
memory/1780-58-0x00007FF8AE670000-0x00007FF8AF131000-memory.dmp

Filesize
10.8MB

Download
memory/1780-16-0x000001EA730B0000-0x000001EA730C0000-memory.dmp

Filesize
64KB

Download
memory/1780-15-0x00007FF8AE670000-0x00007FF8AF131000-memory.dmp

Filesize
10.8MB

Download
memory/1780-52-0x000001EA756B0000-0x000001EA756DA000-memory.dmp

Filesize
168KB

Download
memory/1780-53-0x000001EA756B0000-0x000001EA756D4000-memory.dmp

Filesize
144KB

Download
memory/3680-71-0x000001C5788A0000-0x000001C5788B0000-memory.dmp

Filesize
64KB

Download
memory/3680-74-0x000001C5788A0000-0x000001C5788B0000-memory.dmp

Filesize
64KB

Download
memory/3680-77-0x00007FF8AEA90000-0x00007FF8AF551000-memory.dmp

Filesize
10.8MB

Download
memory/3680-69-0x00007FF8AEA90000-0x00007FF8AF551000-memory.dmp

Filesize
10.8MB

Download
memory/3680-72-0x000001C5788A0000-0x000001C5788B0000-memory.dmp

Filesize
64KB

Download
memory/4300-90-0x00000216605C0000-0x00000216605D0000-memory.dmp

Filesize
64KB

Download
memory/4300-91-0x00000216605C0000-0x00000216605D0000-memory.dmp

Filesize
64KB

Download
memory/4300-89-0x00007FF8AEA90000-0x00007FF8AF551000-memory.dmp

Filesize
10.8MB

Download
memory/4300-96-0x00000216605C0000-0x00000216605D0000-memory.dmp

Filesize
64KB

Download
memory/4300-97-0x00007FF8AEA90000-0x00007FF8AF551000-memory.dmp

Filesize
10.8MB

Download
memory/4300-99-0x00000216605C0000-0x00000216605D0000-memory.dmp

Filesize
64KB

Download
memory/4860-28-0x0000022BEEFC0000-0x0000022BEEFD0000-memory.dmp

Filesize
64KB

Download
memory/4860-27-0x0000022BEEFC0000-0x0000022BEEFD0000-memory.dmp

Filesize
64KB

Download
memory/4860-49-0x00007FF8AE670000-0x00007FF8AF131000-memory.dmp

Filesize
10.8MB

Download
memory/4860-44-0x0000022BD69B0000-0x0000022BD69B8000-memory.dmp

Filesize
32KB

Download
memory/4860-26-0x00007FF8AE670000-0x00007FF8AF131000-memory.dmp

Filesize
10.8MB

Download