5582109eef64a026654129cbf10c7a5d89917911904892707275681c7cc6e2ed

Analysis

max time kernel
65s
max time network
67s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/05/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StarLight V2.exe
Size

1.6MB
MD5

48f419d0dddaef5cf146823e2f18aac7
SHA1

4d0c0ed195c33a172682c2d2076f8851a2e8c5c0
SHA256

5582109eef64a026654129cbf10c7a5d89917911904892707275681c7cc6e2ed
SHA512

5ace5a3c266c7497e143f6e96ebb0a3bed8f07324c7d0014407a3031431a777f38186a4c28ed785f2d3895c64b352cbdf88a707995272424281f4c14af3047f1
SSDEEP

49152:ovTDtjmh+GPLhV7K704tqVJuZm3pBqI/N0DD:eZ2+GPL+Idv

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	StarLight V2.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
516	StarLight V2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	516	StarLight V2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2760	516	StarLight V2.exe	74
PID 516 wrote to memory of 2760	516	StarLight V2.exe	74
PID 2760 wrote to memory of 4388	2760	cmd.exe	75
PID 2760 wrote to memory of 4388	2760	cmd.exe	75
PID 2760 wrote to memory of 2132	2760	cmd.exe	76
PID 2760 wrote to memory of 2132	2760	cmd.exe	76
PID 2760 wrote to memory of 2384	2760	cmd.exe	77
PID 2760 wrote to memory of 2384	2760	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\StarLight V2.exe
"C:\Users\Admin\AppData\Local\Temp\StarLight V2.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\StarLight V2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\StarLight V2.exe" MD5
    3⤵
    PID:4388
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2132
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads