aa113d879ad12050965e7ab4b56b62a50361cc5bce0367b68ea12ec7dc1a945c

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe
Size

13.8MB
MD5

68bcccc655105a6e36022eaa1ca9169d
SHA1

2efabc426721ebc055d748084e010c4c700492c9
SHA256

aa113d879ad12050965e7ab4b56b62a50361cc5bce0367b68ea12ec7dc1a945c
SHA512

04cd4068c26b5c7ebab30e03e2c0c0cc6daca98e6a48ea713f6c2fdc61b61a349c465dbb03bcd72ce51c7b0f62d8740e89638830332fb5c75efc1d39acac50a7
SSDEEP

196608:3Bsd3+XNqcBQ9KRIWGm2+/ST7lnP5PV6Cv6aObt:mAXhBQ9KO5+C7lP5PVG

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2936 powershell.exe
Drops file in System32 directory 1 IoCs

Processes:

2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe

description ioc process

File created C:\Windows\System32\wbem\svchost.exe 2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2116 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2936 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2936 powershell.exe

pid	process
2936	powershell.exe

description	ioc	process
File created	C:\Windows\System32\wbem\svchost.exe	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe

pid	process
2116	timeout.exe

pid	process
2936	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2936	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.execmd.exe

description	pid	process	target process
PID 2248 wrote to memory of 1744	2248	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe	cmd.exe
PID 2248 wrote to memory of 1744	2248	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe	cmd.exe
PID 2248 wrote to memory of 1744	2248	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe	cmd.exe
PID 1744 wrote to memory of 2116	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 2116	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 2116	1744	cmd.exe	timeout.exe
PID 2248 wrote to memory of 2736	2248	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe	WerFault.exe
PID 2248 wrote to memory of 2736	2248	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe	WerFault.exe
PID 2248 wrote to memory of 2736	2248	2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe	WerFault.exe
PID 1744 wrote to memory of 2936	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 2936	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 2936	1744	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\468ad768-09b4-444d-bc75-7f898aa8c1fe.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2248 -s 1044
2⤵
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\468ad768-09b4-444d-bc75-7f898aa8c1fe.cmd
Filesize
113B

MD5
0e33c7f70311c1f81d0fb0db3f41db6b

SHA1
8cc92b1efdaf679367f9902bbe1e4507057b0b6f

SHA256
37691ab0d94e0db5692c95f5d34aa60fa23dda989d2763dd06218311370b7580

SHA512
940885fb9c22e3b3ec441394e8f1796147ee4aa0b7d5b534be1afe07dc6ca94ed932d773b4431cc61712fcdbd805ae2ed954ffb853d7de43b70a7896d2def05c

Download Submit
memory/2248-0-0x000000013FBC6000-0x000000013FBC7000-memory.dmp

Filesize
4KB

Download
memory/2936-13-0x000007FEF567E000-0x000007FEF567F000-memory.dmp

Filesize
4KB

Download
memory/2936-15-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2936-14-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-16-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-18-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-19-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-20-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-17-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-21-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download