aec4b44f6a7d73dfd5fb0953ae43ea47653c3de957da800abf0c85ef9c296358

Resubmissions

29/04/2024, 03:57

240429-ehxsrshf91 7

29/04/2024, 03:19

240429-dvcgxsge93 7

29/04/2024, 03:10

240429-dn8xjsgd42 7

Analysis

max time kernel
1799s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GunManiaSetup(4).exe
Size

51.2MB
MD5

2ab8b50b30c738d5bf9d143d3a04fb2e
SHA1

1fe4c07e8f8cad012bb8940077156fc681c11295
SHA256

aec4b44f6a7d73dfd5fb0953ae43ea47653c3de957da800abf0c85ef9c296358
SHA512

3db47ea9138d363f093d12917a044a5961769db1b19fdbee24b4078ba67ed4980804a173d11420437eb0233d6078b2035c6c74532758f221153ccfb961f81ad7
SSDEEP

393216:1pIMX/BFDRn5kd4eqJbJMKg+DVMr1PJvKXPDaF9W375zOlBOLfK6mIDoN0/zv+jG:1FYK/wlBOLC7/WyrV+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3836	GunManiaSetup(4).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	powershell.exe
1348	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 3248	3836	GunManiaSetup(4).exe	80
PID 3836 wrote to memory of 3248	3836	GunManiaSetup(4).exe	80
PID 3248 wrote to memory of 1012	3248	cmd.exe	82
PID 3248 wrote to memory of 1012	3248	cmd.exe	82
PID 3248 wrote to memory of 1348	3248	cmd.exe	83
PID 3248 wrote to memory of 1348	3248	cmd.exe	83
PID 1348 wrote to memory of 848	1348	powershell.exe	84
PID 1348 wrote to memory of 848	1348	powershell.exe	84
PID 848 wrote to memory of 4472	848	csc.exe	85
PID 848 wrote to memory of 4472	848	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\GunManiaSetup(4).exe
"C:\Users\Admin\AppData\Local\Temp\GunManiaSetup(4).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\neuillestealer-1714363057973\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\neuillestealer-1714363057973\temp.ps1 "
    3⤵
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\io4013g4\io4013g4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66C8.tmp" "c:\Users\Admin\AppData\Local\Temp\io4013g4\CSC5C6DB11799FC4A8E8619F912A719BFB2.TMP"
        5⤵
        
        PID:4472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES66C8.tmp

Filesize
1KB

MD5
7757b01282ec384cb7f6f0106c1c8c08

SHA1
6f0d7c781d94d79dba8b28c58289df657e50a8bb

SHA256
4e7f942b10ccafa96976111f16c199b0814efd029966dc9f9f279d3a2f58e43f

SHA512
6c637775b5586964aea79d53dbdd9d0d708dd9b794cbb744049969689db14d76bbda49d11fa47931523892385d78f319c43cc611cd2f9a65fba67a6b550b52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_spua2twd.ovk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\io4013g4\io4013g4.dll

Filesize
3KB

MD5
0b50138bdeffb53a1c1d94b0d70618d7

SHA1
e9a6e2fd759f91e4dce4601a06722eb0fea991e4

SHA256
0b00c2febfa70f81b8d49f7b9c39cf5532217094641416ea0ea74e39a0240537

SHA512
1b216c5da7fa88f762f89905ac8592af3bcc47be83132c8c795d027dde02444317f9882ec384ed19ff8b88f70989bd57e5d52744499629f128a13085871ab171

Download Submit
C:\Users\Admin\AppData\Local\Temp\neuillestealer-1714363057973\temp.ps1

Filesize
337B

MD5
73b96006f10fa4751894674df3a0ef90

SHA1
ebe6d5798552efd54dc7e17706fbcb7545c61e4b

SHA256
eec685962488449f098ed630b2ec1a403d27bc11759f414e4c64d4fce012ae47

SHA512
235b585ccd3795b844bd6325f45b48a44269c4f2d56e73ecd0b6606201af8cce73eecc880f84fb2e75953b7fd59b08baf4419c54c585992319f603edc8212e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\io4013g4\CSC5C6DB11799FC4A8E8619F912A719BFB2.TMP

Filesize
652B

MD5
9ccd5985282d6aab8153bf907b8cbab6

SHA1
e4246f34f00c688dd3fe9b7f00760610e0122d01

SHA256
ac4905c98d7845b47f169b1e37636913e7e41db8b0726b48e96f1bf9990cad1b

SHA512
f3fa2a7a8a852f45933276eb298737a7f48066572b8b28076681afc6e8cbd9d0f3c9b651067203bd5be582c7dd0712e8e52d7856b14686d88b9212f941362984

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\io4013g4\io4013g4.0.cs

Filesize
291B

MD5
8e748907be602c9282ec791eb1029847

SHA1
8b5930eaf7d3fee3eff5aea3125122f8a3f7be49

SHA256
f474479ebe51c16859553b4f871f2ac58012d6ddcdbb6593fbc9a6be3345fa76

SHA512
ca5915d6eb1101947978afc9921d74a2994db2dc0854ed4e848ca18c84b4f5abec572fb89124480cf14ed8c5380b82dfff0e54d17f0e57f6d3d0e9c74e2d66ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\io4013g4\io4013g4.cmdline

Filesize
369B

MD5
93dc937fbe62637ccfc88ac4dccd18b4

SHA1
45453c94fc8694888b6f9432480b593cd3b9fadd

SHA256
57e3028245512372f8e85a40beeb9aa879701e8636b0bf54ba2d6dc07c67b4e6

SHA512
98c862430a0a523158b8ccc1165b53b3609429023b9444d11b354f7754661a02f4e8adb9f754efd51c044b08a2a0f383db239d6a3381f57b3c231ae5e3d1f359

Download Submit
memory/1348-39-0x000001FDBE2D0000-0x000001FDBE2F2000-memory.dmp

Filesize
136KB

Download
memory/1348-43-0x000001FDBE720000-0x000001FDBE766000-memory.dmp

Filesize
280KB

Download
memory/1348-40-0x00007FFFAE490000-0x00007FFFAEF52000-memory.dmp

Filesize
10.8MB

Download
memory/1348-41-0x000001FDBE120000-0x000001FDBE130000-memory.dmp

Filesize
64KB

Download
memory/1348-56-0x000001FDBE2C0000-0x000001FDBE2C8000-memory.dmp

Filesize
32KB

Download
memory/1348-42-0x000001FDBE120000-0x000001FDBE130000-memory.dmp

Filesize
64KB

Download
memory/1348-61-0x00007FFFAE490000-0x00007FFFAEF52000-memory.dmp

Filesize
10.8MB

Download