aec4b44f6a7d73dfd5fb0953ae43ea47653c3de957da800abf0c85ef9c296358

Resubmissions

29/04/2024, 03:57

240429-ehxsrshf91 7

29/04/2024, 03:19

240429-dvcgxsge93 7

29/04/2024, 03:10

240429-dn8xjsgd42 7

Analysis

max time kernel
50s
max time network
58s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GunManiaSetup(4).exe
Size

51.2MB
MD5

2ab8b50b30c738d5bf9d143d3a04fb2e
SHA1

1fe4c07e8f8cad012bb8940077156fc681c11295
SHA256

aec4b44f6a7d73dfd5fb0953ae43ea47653c3de957da800abf0c85ef9c296358
SHA512

3db47ea9138d363f093d12917a044a5961769db1b19fdbee24b4078ba67ed4980804a173d11420437eb0233d6078b2035c6c74532758f221153ccfb961f81ad7
SSDEEP

393216:1pIMX/BFDRn5kd4eqJbJMKg+DVMr1PJvKXPDaF9W375zOlBOLfK6mIDoN0/zv+jG:1FYK/wlBOLC7/WyrV+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3372	GunManiaSetup(4).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	powershell.exe
4412	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3108	3372	GunManiaSetup(4).exe	81
PID 3372 wrote to memory of 3108	3372	GunManiaSetup(4).exe	81
PID 3108 wrote to memory of 4612	3108	cmd.exe	83
PID 3108 wrote to memory of 4612	3108	cmd.exe	83
PID 3108 wrote to memory of 4412	3108	cmd.exe	84
PID 3108 wrote to memory of 4412	3108	cmd.exe	84
PID 4412 wrote to memory of 4596	4412	powershell.exe	85
PID 4412 wrote to memory of 4596	4412	powershell.exe	85
PID 4596 wrote to memory of 392	4596	csc.exe	86
PID 4596 wrote to memory of 392	4596	csc.exe	86

C:\Users\Admin\AppData\Local\Temp\GunManiaSetup(4).exe
"C:\Users\Admin\AppData\Local\Temp\GunManiaSetup(4).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\neuillestealer-1714360804114\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\neuillestealer-1714360804114\temp.ps1 "
    3⤵
    PID:4612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p4dv0vr2\p4dv0vr2.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BFB.tmp" "c:\Users\Admin\AppData\Local\Temp\p4dv0vr2\CSC42D508B3CDF447D691B18FFC6F42DEB8.TMP"
        5⤵
        
        PID:392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5BFB.tmp

Filesize
1KB

MD5
6e04c604cc2f6d03e69e21eb2fa5d04a

SHA1
34ab863053617981a52a0d9793532d9ad13dc82c

SHA256
6b24c94731246a7cababfae460cba9bc5ab6b07d9b4387f28f90c64b1ef63cf7

SHA512
d26de9676c53d894dbd0be79c147b31623e5af8886e0a0f6370ab3d820b692424e9e364f615936367a778a4dd8c47a9fee4098d9ca48e4da35572e7102bea4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgglvyck.l2y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\neuillestealer-1714360804114\temp.ps1

Filesize
337B

MD5
73b96006f10fa4751894674df3a0ef90

SHA1
ebe6d5798552efd54dc7e17706fbcb7545c61e4b

SHA256
eec685962488449f098ed630b2ec1a403d27bc11759f414e4c64d4fce012ae47

SHA512
235b585ccd3795b844bd6325f45b48a44269c4f2d56e73ecd0b6606201af8cce73eecc880f84fb2e75953b7fd59b08baf4419c54c585992319f603edc8212e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4dv0vr2\p4dv0vr2.dll

Filesize
3KB

MD5
30d7ad09eba17cbb853344751c6fbcaf

SHA1
a637fb755f40bd26f6959f72aad25181bd9893c5

SHA256
9af81d72c6d4bad6b5051ff53432cc2f5df8ff8a880bf6b90b70e3f7d185e08f

SHA512
d2bfaa8390ba2e45d6edd8ab9b990dc5031e29ef749fae8df0ed1a6f68de808026486b5dd58a69cb927492ac3237cb2d80cb44de323264b7de03e9e92c15292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p4dv0vr2\CSC42D508B3CDF447D691B18FFC6F42DEB8.TMP

Filesize
652B

MD5
0d3a373d534f98d8aec031f5fc26709e

SHA1
59321f12f53581a6bccf8e2bb2160e5a137b0b3a

SHA256
0d637a183b4177298db6b4a7ce817815d8de74a380f63acaee0e5bce07272b63

SHA512
b45856a80aab56720f9e919f68ec392bd45b8d9d217bceee496b3335b3b2ac2e73c6edaee1b9d8e305d51f63500c1dbc3b1f24aba0aebb042c7a08a5abff96f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p4dv0vr2\p4dv0vr2.0.cs

Filesize
291B

MD5
8e748907be602c9282ec791eb1029847

SHA1
8b5930eaf7d3fee3eff5aea3125122f8a3f7be49

SHA256
f474479ebe51c16859553b4f871f2ac58012d6ddcdbb6593fbc9a6be3345fa76

SHA512
ca5915d6eb1101947978afc9921d74a2994db2dc0854ed4e848ca18c84b4f5abec572fb89124480cf14ed8c5380b82dfff0e54d17f0e57f6d3d0e9c74e2d66ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p4dv0vr2\p4dv0vr2.cmdline

Filesize
369B

MD5
92f93b9eff727c56ffbe31b25f15c6a0

SHA1
61f9ee6fabba9d5a8401b1ec604b571b7b5ece29

SHA256
dcf71fb5391e95b9b551656413e0c89148e458e09df86989e1ccdd152f32db43

SHA512
d58cd38fa2716afe227367e4c80572c9780010cc62904a9d406ae46804e8a448400d3f00a43690db67df1084cec029fd357368c656050c1eb7be523b77da93ec

Download Submit
memory/4412-39-0x0000018DB71A0000-0x0000018DB71C2000-memory.dmp

Filesize
136KB

Download
memory/4412-43-0x0000018DB7600000-0x0000018DB7646000-memory.dmp

Filesize
280KB

Download
memory/4412-40-0x00007FF8D7AC0000-0x00007FF8D8582000-memory.dmp

Filesize
10.8MB

Download
memory/4412-41-0x0000018DB71E0000-0x0000018DB71F0000-memory.dmp

Filesize
64KB

Download
memory/4412-56-0x0000018DB75B0000-0x0000018DB75B8000-memory.dmp

Filesize
32KB

Download
memory/4412-42-0x0000018DB71E0000-0x0000018DB71F0000-memory.dmp

Filesize
64KB

Download
memory/4412-61-0x00007FF8D7AC0000-0x00007FF8D8582000-memory.dmp

Filesize
10.8MB

Download