Analysis

  • max time kernel
    140s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 01:47

General

  • Target

    b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe

  • Size

    7.2MB

  • MD5

    751d1cc5bec96d8310b7bdfd068b25b7

  • SHA1

    641aa777fafa57ed3a4fdce03eef2210faaaa089

  • SHA256

    b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f

  • SHA512

    ef7b2218786542e2185c650355d89f8fb5c359babeaa6c4c500cf070c7f5ff767f630ca969dc5eb362dbdb9b7bd63d632d86d4254f2a613c1a44499092f266f8

  • SSDEEP

    196608:a5g00++fUGU2O21VYtHieGdCdeHErMPEVTCctrbWOjgWy8:itqmie8Ey9ctrbvMWy8

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Loads dropped DLL 17 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe
    "C:\Users\Admin\AppData\Local\Temp\b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe
      "C:\Users\Admin\AppData\Local\Temp\b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b98f2ad4e65071bc462127329011bed54c5d6439cbd1716d80d6faffb0d5e36f.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4124
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\VCRUNTIME140.dll
      Filesize

      78KB

      MD5

      1e6e97d60d411a2dee8964d3d05adb15

      SHA1

      0a2fe6ec6b6675c44998c282dbb1cd8787612faf

      SHA256

      8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

      SHA512

      3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_bz2.pyd
      Filesize

      77KB

      MD5

      f73ea2b834471fb01d491a65caa1eea3

      SHA1

      00e888645e0a1638c639a2c21df04a3baa4c640a

      SHA256

      8633e8ad7172b095ed7ba40fa1039a64b04b20e6f42ac428e103d0c793831bda

      SHA512

      b8329b33d78458c2ac7979a5c5a19bd37ea9a473682d23faf54e77cfc5edadc0426490add9864e99a719ac5b4a57c5326ed82496adf80afd1876577caa608418

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_ctypes.pyd
      Filesize

      104KB

      MD5

      136b63cf574eb6efe660d933b65f5d47

      SHA1

      97ec03b14e6301d671fc130bc950e4f19f881267

      SHA256

      96c6dd352221f8a9ba0077963b2a69a29c2d809ae1a5e674f217b51fcd1a2328

      SHA512

      659e18971125793a7f6ca0e0d4098700f05e5de9d69636e843a7c6e661b056e207048638488e62e2b0dcbcb57aecffa2b344a97345092e56fecf111783203242

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_decimal.pyd
      Filesize

      193KB

      MD5

      bcdbf3a04a8bfd8c8a9624996735fc1a

      SHA1

      08d35c136fe5c779b67f56ae7165b394d5c8d8ef

      SHA256

      1f6db9be716626f6803cefd646fbbc478878c6acce597d9f6c5776dc7b69d3c7

      SHA512

      d22195c0a0535f7986d0a6d0bb820d36c8824a0b15378cb5d5ab0f334064896e0d64ed880d706f80e0b96d022631fc6b4fcc47371ca1d5cdd2c37dd75c62274b

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_hashlib.pyd
      Filesize

      46KB

      MD5

      303a1d7d21ca6e625950a966d17f86be

      SHA1

      660aaad68207dc0a4d757307ad57e86b120f2d91

      SHA256

      53180306bad339e76cc427009db15f124f49d4c879676258264365a7e2ed703f

      SHA512

      99036d59cad6f286e8f901acadcc7db192bb385699228b1b34907ea49fb5ff07b636550c04f0d4b70f161a26ea2e58794d9080d69d053ada08d2ad9bd3f861df

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_lzma.pyd
      Filesize

      144KB

      MD5

      b4251ed45538a2a7d79737db8fb139db

      SHA1

      cded1a4637e7e18684d89cd34c73cfae424183e6

      SHA256

      caad390c4c3c6b1e50a33754a0af7d2c3f4b1245c8ead79ff7f7be0e5654e210

      SHA512

      d40f7de85c8dbb3e16135e1f8d8ce829cb681eaab49c6f4c40792fa8f733743df70cfa7c6224e06bff68214069f90cd960970ac47d0348e9827a2136789c43c1

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_queue.pyd
      Filesize

      26KB

      MD5

      48f98bbd96f2b179f9b62a634f2353ba

      SHA1

      24a374e9aebdefb6f02c4fad06502f9d13d000dd

      SHA256

      dee6f87c1cb0ee904e4a2189e04a2931d33e36db9e09312c96bc34f317a30bfd

      SHA512

      3980ef687c9050bef2ce08f6f2a497bd29bf51a7be45e275bf9f77987e1fbe1319888fc0c163d91ab9b805d42c8457bad792eea6ca62a8fd1503e8d2cdf58503

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_socket.pyd
      Filesize

      65KB

      MD5

      b55ce33c6ba6d7af221f3d8b1a30a6f7

      SHA1

      b8696ed5b7a52c9bfda5c1ea4bd43a9ecc17fed0

      SHA256

      ec5817b46539f9a5cbf1525cf7c714bc0e9f5a918fc4b963dec9c301b86c7d1f

      SHA512

      4d15d90dd2bacc8c9537533b1267455fbc030e38546c1f6f4eb7dabe690c744471bd45c079f0c711b9eca330f1a413ea37fc6b08810854d5f51b69b19e991462

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_sqlite3.pyd
      Filesize

      87KB

      MD5

      28f3bdac11f10f01949086f62e419483

      SHA1

      a145d080c7c632b0cb7c953e26846a4382dfadac

      SHA256

      9976a069b4dd182707dc454b71b2bdfcff4aba070edaf10f4061dd0fbf66516b

      SHA512

      dc81533795bf7dc887066dde569fcfe9dac2c176cf6e322252f7f094aca07cf8a5c73dbbb10261768e62584185845dd5a5de7305226ea2c328f6bcbbbe0d78e2

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\_ssl.pyd
      Filesize

      136KB

      MD5

      77da1e6ad0cbb474cb2714c6b09f661a

      SHA1

      da3946b0d6e56e7f416b96fce4c5b9f870747149

      SHA256

      fd6879eaadbc75a2a989568a1e6781cca9bb08508aed796b7fdea3f80aeae26a

      SHA512

      8fc31fd23fc42cb7e53faad8adfe3314ced71af4aae5bc2dcce91939365957f1052ebe054d0d02f4adb504e456e88465d4a79cf7acd7d0aab7617d652a06b749

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\base_library.zip
      Filesize

      1.4MB

      MD5

      83d235e1f5b0ee5b0282b5ab7244f6c4

      SHA1

      629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

      SHA256

      db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

      SHA512

      77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\blank.aes
      Filesize

      125KB

      MD5

      5135958f197fa1456b7dd735493702f0

      SHA1

      d4f70a09f945ef8f7e0bb7f802372465f5138860

      SHA256

      6dd9d9f4a31fd3f5c27c64ff9d5135f14bae60c00c95cfd35addf9c10a29af55

      SHA512

      d9dbff38223834bb9f1fad25d29ddb9578106147a9033f6b81ef7530009b95f8bc6ddfb594bba5866f4a760fd006664c64fa870bef97eb4849d516af1da4b371

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\blank.aes
      Filesize

      125KB

      MD5

      4ff58bd4f2ffdb9b94decc00463e0fb7

      SHA1

      33d598fc3226f8ff522388805b213d35ae69adb2

      SHA256

      741afa33abc87f6521823ecdc0a24fe21c39b4b82476a835d02212b001d2ead7

      SHA512

      fb1639f268996c1ae40f1c38fd83101adb001a1670b2858f37ab1fc137ff269b89a261f57b552458e3906ff3f022d4c5016afa87ea591aacff131bc08048140d

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\libcrypto-1_1.dll
      Filesize

      2.2MB

      MD5

      90311ea0cc27e27d2998969c57eba038

      SHA1

      4653f1261fb7b16bc64c72833cfb93f0662d6f6d

      SHA256

      239d518dd67d8c2bbf6aeaded86ed464865e914db6bf3b115973d525ebd7d367

      SHA512

      6e2f839fb8d7aaab0b51778670da104c36355e22991eae930d2eaecabab45b40fda5e2317f1c928a803146855ac5553e4e464a65213696311c206bec926775d8

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\libffi-8.dll
      Filesize

      29KB

      MD5

      fe36b0e8048f4f546efd7b1d4cb2505d

      SHA1

      f22077fcad8abd636f68e618b92707e6b1682d82

      SHA256

      2314f65a1be18057d72106e20818e954c823a49c0ba42457d4c51bb7c2bb0a9e

      SHA512

      701c7a67acd1147c9c28e78bdbf28e8e05b0616a1697b7abff96de419f8d2d9c34acbe5ba47057707923ed40a774e6c1d9f311ef6d4cf5e15be1a1516464e7e5

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\libssl-1_1.dll
      Filesize

      536KB

      MD5

      0eb0295658ac5ce82b2d96d330d2866e

      SHA1

      68894ff86e0b443502e3ba9ce06bfb1660d19204

      SHA256

      52224881670ced6419a3e68731e5e3d0b1d224d5816619dccf6161f91ec78021

      SHA512

      347b7b5d7b9b1c88ea642f92257f955c0202ae16d6764f82d9923c96c151f1e944abf968f1e5728bde0dae382026b5279e4bcbe24c347134a1fbe1cb0b2e090f

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\python311.dll
      Filesize

      4.7MB

      MD5

      b8769a867abc02bfdd8637bea508cab2

      SHA1

      782f5fb799328c001bca77643e31fb7824f9d8cc

      SHA256

      9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8

      SHA512

      bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\rar.exe
      Filesize

      615KB

      MD5

      9c223575ae5b9544bc3d69ac6364f75e

      SHA1

      8a1cb5ee02c742e937febc57609ac312247ba386

      SHA256

      90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

      SHA512

      57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\rarreg.key
      Filesize

      456B

      MD5

      4531984cad7dacf24c086830068c4abe

      SHA1

      fa7c8c46677af01a83cf652ef30ba39b2aae14c3

      SHA256

      58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

      SHA512

      00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\select.pyd
      Filesize

      25KB

      MD5

      aae48cf580702fec3a79524d1721305c

      SHA1

      33f68231ff3e82adc90c3c9589d5cc918ad9c936

      SHA256

      93b2b54c80d03ff7ade5fe4cd03baed8c5b5a8e1edcd695a53bae2e369006265

      SHA512

      1c826364015684bb3fb36ce1fcb608da88f4c74b0eec6b53f4ca07b5ea99fee8b4e318c1570ce358cefd6b7bdf21b046b1375c3d687f6d0d08bf7b955568a1c6

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\sqlite3.dll
      Filesize

      1.2MB

      MD5

      49c5e54cf71cbaad73b88803428f57a5

      SHA1

      5127574c3c100352ff2cbb64cafe1dd19e8f99d5

      SHA256

      ef411d58fb0320744399c1ecbad5a06341d9f2819c0e3f21c9ced1f7194f57b1

      SHA512

      74f8791521f410fc0ea50fc55e461500424b6b5834ee5e890f804481d4570a5157f03f787fa169de8c3286180eb0202813cd60d7195d41551c0b8fb544ea9568

    • C:\Users\Admin\AppData\Local\Temp\_MEI42562\unicodedata.pyd
      Filesize

      1.1MB

      MD5

      b98d5dd9980b29ce394675dc757509b8

      SHA1

      7a3ad4947458baa61de998bc8fde1ef736a3a26c

      SHA256

      1498105d00434a5ebbaa6bee2e5f5677c34a948b2073d789f4d4b5968a4c8aaf

      SHA512

      ba7e52deaf88aab062646d6a70f9e15016fcbdcf55a4f16d8c73ea6a63ad591eb3b623514a9fecc03188b1d1eb55a6b168da55bb035dc7d605cae53def2b65f2

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2cwebj0j.xzm.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1192-91-0x0000000074A30000-0x0000000074A7C000-memory.dmp
      Filesize

      304KB

    • memory/1192-113-0x0000000007680000-0x0000000007CFA000-memory.dmp
      Filesize

      6.5MB

    • memory/1192-68-0x00000000056E0000-0x0000000005746000-memory.dmp
      Filesize

      408KB

    • memory/1192-121-0x0000000007320000-0x0000000007328000-memory.dmp
      Filesize

      32KB

    • memory/1192-120-0x0000000007340000-0x000000000735A000-memory.dmp
      Filesize

      104KB

    • memory/1192-88-0x0000000005D50000-0x0000000005D6E000-memory.dmp
      Filesize

      120KB

    • memory/1192-118-0x0000000007230000-0x000000000723E000-memory.dmp
      Filesize

      56KB

    • memory/1192-90-0x0000000006280000-0x00000000062B2000-memory.dmp
      Filesize

      200KB

    • memory/1192-117-0x0000000005640000-0x0000000005651000-memory.dmp
      Filesize

      68KB

    • memory/1192-115-0x0000000007070000-0x000000000707A000-memory.dmp
      Filesize

      40KB

    • memory/4924-89-0x0000000006190000-0x00000000061DC000-memory.dmp
      Filesize

      304KB

    • memory/4924-112-0x00000000070D0000-0x0000000007173000-memory.dmp
      Filesize

      652KB

    • memory/4924-111-0x0000000006610000-0x000000000662E000-memory.dmp
      Filesize

      120KB

    • memory/4924-114-0x00000000073A0000-0x00000000073BA000-memory.dmp
      Filesize

      104KB

    • memory/4924-65-0x0000000005350000-0x0000000005978000-memory.dmp
      Filesize

      6.2MB

    • memory/4924-116-0x0000000007610000-0x00000000076A6000-memory.dmp
      Filesize

      600KB

    • memory/4924-97-0x0000000074A30000-0x0000000074A7C000-memory.dmp
      Filesize

      304KB

    • memory/4924-67-0x0000000005A30000-0x0000000005A96000-memory.dmp
      Filesize

      408KB

    • memory/4924-119-0x00000000075D0000-0x00000000075E4000-memory.dmp
      Filesize

      80KB

    • memory/4924-87-0x0000000005C10000-0x0000000005F64000-memory.dmp
      Filesize

      3.3MB

    • memory/4924-66-0x0000000005130000-0x0000000005152000-memory.dmp
      Filesize

      136KB

    • memory/4924-64-0x0000000002A50000-0x0000000002A86000-memory.dmp
      Filesize

      216KB