Overview
overview
5Static
static
5AutoIt3.exe
windows7-x64
3AutoIt3.exe
windows10-2004-x64
3script.exe...pt.ps1
windows7-x64
1script.exe...pt.ps1
windows10-2004-x64
1script.exe...AL.ps1
windows7-x64
1script.exe...AL.ps1
windows10-2004-x64
1script.exe.a32.exe
windows7-x64
3script.exe.a32.exe
windows10-2004-x64
3Analysis
-
max time kernel
525s -
max time network
464s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
AutoIt3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AutoIt3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
script.exe.a32-ExtractedScript.ps1
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
script.exe.a32-ExtractedScript.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
script.exe.a32-ORIGINAL.ps1
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
script.exe.a32-ORIGINAL.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
script.exe.a32.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
script.exe.a32.exe
Resource
win10v2004-20240226-en
General
-
Target
script.exe.a32.exe
-
Size
772KB
-
MD5
702e7e7ad171bb9910c507263bb518ee
-
SHA1
37f0a6b1fc2feaf245146bb6f66334f4f6ba3966
-
SHA256
0b49440cc8ba6e797f64cfcbe78c2c65297cacaabe5213b0884232e9f18c8eff
-
SHA512
a52d894bf2394ed7b7c4eb847950d7c0cd3da0ac3dbcb815cbed6c26157358c9d92861badd2cea9045399df07dc9352d0ba9c2453d0834190ae5e8bfa8878d77
-
SSDEEP
12288:CgDhdkq5BCoC5LfWSLTUQpr2Zu19Qo8ZDJggaVokq7ki2rRpL:CgDhdkMRWfLTUO2Zu1uo8ZDJvaUkiuh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 4136 svchost.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe 1076 script.exe.a32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\script.exe.a32.exe"C:\Users\Admin\AppData\Local\Temp\script.exe.a32.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5281652ab7f24119c4d1549b1108c4388
SHA1a1bcc93d6836f5588b7d24ba7ee1b7bd210cd3f4
SHA256748bf2b7e5d83d3f9f977d6efbcfc2d851ffe368c92a49c8b7e21529f4f1d883
SHA51209e5b4dae99152c741a707ce38d741a6c0fed14d6730fec9bd40025d86b0186e1b5e3574a3784c0e7fd1574fb6e72f2d94db09ef0fea8babcbbff9778a28f270