0432dca5d3f8623103c1e112f052a4ed7990d550b029c445858ffc94a9abe65b

Resubmissions

15/04/2024, 17:37

240415-v66nksed8w 7

15/04/2024, 17:34

240415-v5ll1sed3z 7

15/04/2024, 17:30

240415-v3fmzsca66 3

15/04/2024, 17:27

240415-v1vdcseb8w 7

Analysis

max time kernel
12s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsPowerShell/v1.0/Modules/Get-NetView/Get-NetView.ps1
Size

110KB
MD5

8687881579d80c458e07f0f8747c056b
SHA1

bfb55e32e82689e143881d76da3c5a56784c6fcb
SHA256

0af370258f581af1d63384e53878cd16c08566dfb9062edcb8c847ece28bd37c
SHA512

5e233d14f8442b46cfc568dac9f4ef8714f1d44f1bace7869b4c1481386cf500f546e8232534e29005dea2849e6e939440e9d5f85bff30c6ed3520f774571144
SSDEEP

768:sBP2/Byj9gieuPZFG27L3rbQ1oRWCpUkY9KAXtxiicAD:sBP2AjFTG27LPKoRWC6d9yicw

Score

4^/10

Malware Config

Signatures

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3440	sc.exe
1596	sc.exe
1764	sc.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2424	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3360	powershell.exe
3360	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeShutdownPrivilege	4160	powercfg.exe
Token: SeCreatePagefilePrivilege	4160	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3360	powershell.exe
Token: SeSecurityPrivilege	3360	powershell.exe
Token: SeTakeOwnershipPrivilege	3360	powershell.exe
Token: SeLoadDriverPrivilege	3360	powershell.exe
Token: SeSystemProfilePrivilege	3360	powershell.exe
Token: SeSystemtimePrivilege	3360	powershell.exe
Token: SeProfSingleProcessPrivilege	3360	powershell.exe
Token: SeIncBasePriorityPrivilege	3360	powershell.exe
Token: SeCreatePagefilePrivilege	3360	powershell.exe
Token: SeBackupPrivilege	3360	powershell.exe
Token: SeRestorePrivilege	3360	powershell.exe
Token: SeShutdownPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeSystemEnvironmentPrivilege	3360	powershell.exe
Token: SeRemoteShutdownPrivilege	3360	powershell.exe
Token: SeUndockPrivilege	3360	powershell.exe
Token: SeManageVolumePrivilege	3360	powershell.exe
Token: 33	3360	powershell.exe
Token: 34	3360	powershell.exe
Token: 35	3360	powershell.exe
Token: 36	3360	powershell.exe
Token: SeIncreaseQuotaPrivilege	3360	powershell.exe
Token: SeSecurityPrivilege	3360	powershell.exe
Token: SeTakeOwnershipPrivilege	3360	powershell.exe
Token: SeLoadDriverPrivilege	3360	powershell.exe
Token: SeSystemProfilePrivilege	3360	powershell.exe
Token: SeSystemtimePrivilege	3360	powershell.exe
Token: SeProfSingleProcessPrivilege	3360	powershell.exe
Token: SeIncBasePriorityPrivilege	3360	powershell.exe
Token: SeCreatePagefilePrivilege	3360	powershell.exe
Token: SeBackupPrivilege	3360	powershell.exe
Token: SeRestorePrivilege	3360	powershell.exe
Token: SeShutdownPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeSystemEnvironmentPrivilege	3360	powershell.exe
Token: SeRemoteShutdownPrivilege	3360	powershell.exe
Token: SeUndockPrivilege	3360	powershell.exe
Token: SeManageVolumePrivilege	3360	powershell.exe
Token: 33	3360	powershell.exe
Token: 34	3360	powershell.exe
Token: 35	3360	powershell.exe
Token: 36	3360	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4160	3360	powershell.exe	92
PID 3360 wrote to memory of 4160	3360	powershell.exe	92
PID 3360 wrote to memory of 1188	3360	powershell.exe	93
PID 3360 wrote to memory of 1188	3360	powershell.exe	93
PID 3360 wrote to memory of 2228	3360	powershell.exe	94
PID 3360 wrote to memory of 2228	3360	powershell.exe	94

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WindowsPowerShell\v1.0\Modules\Get-NetView\Get-NetView.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\system32\powercfg.exe
  "C:\Windows\system32\powercfg.exe" /List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\system32\verifier.exe
  "C:\Windows\system32\verifier.exe" /querysettings
  2⤵
  PID:1188
- C:\Windows\system32\typeperf.exe
  "C:\Windows\system32\typeperf.exe" -q
  2⤵
  PID:2228
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" queryex vmsp
  2⤵
  - Launches sc.exe
  PID:3440
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" queryex vmsproxy
  2⤵
  - Launches sc.exe
  PID:1596
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" queryex PktMon
  2⤵
  - Launches sc.exe
  PID:1764
- C:\Windows\system32\systeminfo.exe
  "C:\Windows\system32\systeminfo.exe"
  2⤵
  - Gathers system information
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\dismhost.exe
  C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\dismhost.exe {B204B2F0-9376-4C77-B4FC-FD9259C4D35D}
  2⤵
  PID:548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B8DD07D-51AD-4036-BE94-F6FC8B88026C\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykd0w1ha.nto.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\msdbg.OAILVCNY\_Localhost\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx

Filesize
68KB

MD5
1f83dae35478669aef357fe90594264a

SHA1
c70bfff0a559af8cb76ad80a504dd55bd6cc484d

SHA256
f5f9e97a6b1ec8d46a9bd5b9d4ccae96521b85517b0337b248814d2e974a968b

SHA512
94cee3ba110b815812fbb1339e54cf4b7b2942b0145315019d2a5acee75a90326a6bb0e74388ff5545afe23f85856c1404bf35698b5bdd6fdfe2be6645ce84d5

Download Submit
C:\Users\Admin\Desktop\msdbg.OAILVCNY\_Localhost\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Filesize
68KB

MD5
be9a78ad9a651ad3d0ffdb7c0374f989

SHA1
04dd921360d9011c5fb3d621867be9fa36a06504

SHA256
e8df43882f824e28c63fadde810c9eb6609eb0d06f8b85b3c5a86cf47737ce68

SHA512
e70253493ae563550328cbb428088d4ac53a809ba897342fb8a3881b164586e83a000d41b5703f63466bca024fe31e67e5c524bfdd402579f71739e710575ec0

Download Submit
C:\Users\Admin\Desktop\msdbg.OAILVCNY\_Localhost\winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx

Filesize
68KB

MD5
5ce4284416e0fcef497081778cfbc2e0

SHA1
a1e02a9ab53af34dc7bc00219f905df64e157d61

SHA256
15600a31c1ccba2ac49c7d117041611017fd9d7c0e431e30f96a3734a2d5ea81

SHA512
3d5e9c7b95950f9d6ea7361c17e2a7ddbefcbb8b1cfc720f789bbe050412997a153e04ee5b9e64885baae0749d687443e5d4f1cbf2792030e15fa0955f30ee19

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
228KB

MD5
36106257081aa6008f7f6b314f977935

SHA1
6db585ece105efc8bc7e94728b40241bd201520f

SHA256
c5637b08b2f086611417d1bb00b144b6964050179f54f078b43508ede615341a

SHA512
e69ba9b044edcfdd3a361650bb57313693c8ce414bcf852e6b0fbd0e4d7d3d910f6651f880c0498ee398b9553f52cc2a83eceaa91461a0b80e821604fb709ca2

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
228KB

MD5
4b4842cab92e9cafd4afc122a24bd3f6

SHA1
31146d99e1b04b411a499a75e5afbbf9afdea1bf

SHA256
1c28e1f58384afe5b67c93d3ba3ef73e7d1b2f7c50c57fd8e721c6210f397a8f

SHA512
9b983335d4367e5111dd2e199c8b838b15a9119d42ba50fe8827c74ab9b0da012f2b1cb2a112893a08e9c37b5dd1a7b8c57d65d75c3ba00cdbc886a01b173347

Download Submit
memory/3360-106-0x0000019D48260000-0x0000019D48284000-memory.dmp

Filesize
144KB

Download
memory/3360-26-0x0000019D48260000-0x0000019D48284000-memory.dmp

Filesize
144KB

Download
memory/3360-23-0x0000019D48260000-0x0000019D4828A000-memory.dmp

Filesize
168KB

Download
memory/3360-14-0x0000019D47D40000-0x0000019D47D50000-memory.dmp

Filesize
64KB

Download
memory/3360-11-0x0000019D47D40000-0x0000019D47D50000-memory.dmp

Filesize
64KB

Download
memory/3360-307-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/3360-10-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/3360-9-0x0000019D47D10000-0x0000019D47D32000-memory.dmp

Filesize
136KB

Download
memory/3360-340-0x0000019D47D40000-0x0000019D47D50000-memory.dmp

Filesize
64KB

Download