Overview

overview

7

Static

static

5

599151.301...39.lnk

windows7-x64

5

599151.301...39.lnk

windows10-2004-x64

7

TUP3298063...ed.dll

windows7-x64

3

TUP3298063...ed.dll

windows10-2004-x64

TUP3298063...on.dll

windows7-x64

1

TUP3298063...on.dll

windows10-2004-x64

1

TUP3298063...on.exe

windows7-x64

3

TUP3298063...on.exe

windows10-2004-x64

3

TUP3298063...n1.exe

windows7-x64

TUP3298063...n1.exe

windows10-2004-x64

TUP3298063...1_.ps1

windows7-x64

1

TUP3298063...1_.ps1

windows10-2004-x64

1

TUP3298063...32.dll

windows7-x64

1

TUP3298063...32.dll

windows10-2004-x64

1

TUP3298063...33.dll

windows7-x64

1

TUP3298063...33.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    33s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 14:22

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    TUP32980638916Y/ctfmon1.exe

  • Size

    870KB

  • MD5

    82d2590bfa019845cbdd670427d31674

  • SHA1

    5b96ae15e9d3e0db2ebd4d94c930a39bf1829afe

  • SHA256

    7d361e62e333b2ed467505025fd04c75b63c6aca9b15dad6f76adc8bd1deadbd

  • SHA512

    8d071e78cf1db6d8391b567e64a04e42fd0b83bab3b2d3af729899b41a92cb7068576914a63fbbd3af3601d74a49e9620bab0a6788c13d4dad6319ce837380ee

  • SSDEEP

    24576:FAHnh+eWsN3skA4RV1Hom2KXMmHahM065:0h+ZkldoPK8YahY

Score
1/10

Malware Config

Signatures

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TUP32980638916Y\ctfmon1.exe
    "C:\Users\Admin\AppData\Local\Temp\TUP32980638916Y\ctfmon1.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\System32\dllhost.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c shutdown -s -t 2 -f
        3⤵
          PID:1068
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown -s -t 2 -f
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5956
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c shutdown -s -t 2 -f
          3⤵
            PID:5660
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown -s -t 2 -f
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5980
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c shutdown -s -t 1 -f
            3⤵
              PID:5684
              • C:\Windows\SysWOW64\shutdown.exe
                shutdown -s -t 1 -f
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1012
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3990855 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:6064

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2528-0-0x0000000004010000-0x0000000004011000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2528-1-0x0000000004520000-0x0000000004521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2528-2-0x0000000004510000-0x0000000004511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2528-3-0x0000000004530000-0x0000000004531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2528-4-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/4328-14-0x00000000003A0000-0x00000000003A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4328-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4328-17-0x0000000000710000-0x0000000000711000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4328-1228-0x0000000010410000-0x000000001064C000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4328-1245-0x0000000010410000-0x000000001064C000-memory.dmp

          Filesize

          2.2MB

          Download