Resubmissions
09-04-2024 13:34
240409-qvlrtabe9s 1009-04-2024 13:34
240409-qvk6aabe81 1009-04-2024 13:33
240409-qthzjabe5z 1009-04-2024 13:33
240409-qthc1abe5y 1007-07-2023 11:45
230707-nw632ahf6w 10Analysis
-
max time kernel
237s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
09-04-2024 13:33
General
-
Target
MsMpEng.js
-
Size
24.2MB
-
MD5
690d57b0d8670391bad0876cae078bab
-
SHA1
32bea01d606128c606b71e19920099c6cb15030f
-
SHA256
b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458
-
SHA512
dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4
-
SSDEEP
49152:34aSO/UYGzBMZ09d1X5EdS76+B0RX8DQQs8ReDlpgU3HApVeOGMmb5cUNWcGTRPk:H
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\MsMpEng.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD57f9e6ee81558b38fbe276f60949d38b9
SHA16358b944b0515b04da8fe7fda7dc3dbbfb82423c
SHA2566cd0a0976cff64c5287c166b73e5c877f026274f85599344756c47e9aa756bcb
SHA512960966cc6254f15d5653ec9dbfe0fdc6725f2c1209b4ddb8b1c68d8f646521340f91029a53a5c8c60c9f813f3fe3e83644b052913178ac75886ccbd894be9ce3
-
Filesize
8.4MB
MD5a2a5a9b937771a4b82694c844fd27e36
SHA1402e2f7bfe1f24d6ea048d58bf156676132f515d
SHA256390126ab71cd12f414f4200cc246d5283c534ab216794ce9980048779960ea68
SHA512d352b147c8f045f9931725d25166916ce081ac5cf251f2987fb011deed2e8d3e08f91dbce8a2464abab5561b7915d69cbb7a0d02437b30b6fd3d5622621149e1
-
Filesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
Filesize
14.6MB
MD5cfe4b8f7535c958ea26cde6f32b559aa
SHA1253ba3372c6c0b1c301f6e968c4fb7d5ffd696d0
SHA2560afc8b7c47f48ef991535d435d48411ea12c4b98f14253a27b15ec6d7f020620
SHA51201e8862cb7c1a3b247d09ca8e9f94c40232aaed93ab9f1937de0f69f83ba3d32926b6289b7bc5b8ae2bb06876b915a50ed65bb8ba10ffadcbbee579ce968bd39
-
Filesize
2KB
MD59160347bec74471e1a79edfd950629ae
SHA1c149a7e5aab6e349a70b7b458d0eaaa9d301c790
SHA2560fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab
SHA512b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358
-
Filesize
14.6MB
MD52380aed7f261148fdb35af6688e408ee
SHA1fa359778d16c934ba96b96f3c6c17a10a9e266b0
SHA25612afa4813940c6985259f487d5e2892550596a60c6c77f806aefa2c254c74bb4
SHA512646bdbc4f01991460755c6a2c2dbbca0a0170c83d06050ba50ec1b5406d58f8035498c84462dd9e6ab1d695b8854e2f4734d64ec2f4ab1083371fd145963bb85
-
Filesize
18.1MB
MD5efcd72ad2d3430248a68e5f960ed5e2b
SHA158cc7d2732f401b99926211c0dab319dfc0bba1a
SHA25641686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8
SHA512d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5
-
Filesize
696KB
-
Filesize
18.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.1MB
-
Filesize
18.1MB