Overview

overview

8

Static

static

3

2024-05-22...rd.exe

windows7-x64

8

2024-05-22...rd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe

  • Size

    13.8MB

  • MD5

    68bcccc655105a6e36022eaa1ca9169d

  • SHA1

    2efabc426721ebc055d748084e010c4c700492c9

  • SHA256

    aa113d879ad12050965e7ab4b56b62a50361cc5bce0367b68ea12ec7dc1a945c

  • SHA512

    04cd4068c26b5c7ebab30e03e2c0c0cc6daca98e6a48ea713f6c2fdc61b61a349c465dbb03bcd72ce51c7b0f62d8740e89638830332fb5c75efc1d39acac50a7

  • SSDEEP

    196608:3Bsd3+XNqcBQ9KRIWGm2+/ST7lnP5PV6Cv6aObt:mAXhBQ9KO5+C7lP5PVG

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in System32 directory 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-22_68bcccc655105a6e36022eaa1ca9169d_megazord.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3f5dd8de-52c6-4c90-8f96-71f48b846c8f.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:4964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath "C:\Windows"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3f5dd8de-52c6-4c90-8f96-71f48b846c8f.cmd
    Filesize

    113B

    MD5

    0e33c7f70311c1f81d0fb0db3f41db6b

    SHA1

    8cc92b1efdaf679367f9902bbe1e4507057b0b6f

    SHA256

    37691ab0d94e0db5692c95f5d34aa60fa23dda989d2763dd06218311370b7580

    SHA512

    940885fb9c22e3b3ec441394e8f1796147ee4aa0b7d5b534be1afe07dc6ca94ed932d773b4431cc61712fcdbd805ae2ed954ffb853d7de43b70a7896d2def05c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_geqs3kmq.yvb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/820-3-0x00007FFFFF523000-0x00007FFFFF525000-memory.dmp

    Filesize

    8KB

    Download

  • memory/820-4-0x0000015D4CE80000-0x0000015D4CEA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/820-14-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-15-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-16-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-19-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

    Filesize

    10.8MB

    Download