75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c

Resubmissions

11/06/2024, 14:34

240611-rxlehazgqc 3

11/06/2024, 14:06

240611-rew4aazblg 7

Analysis

max time kernel
268s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2.zip
Size

777KB
MD5

60817831fc3ea259d45c9a537172f080
SHA1

bc6be7d44565b13e1008a3b962abc9bc6ee44217
SHA256

75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c
SHA512

02fc5b1202897e0d1d99ff636ab43b9d4bb6335f1fc538bd63d361b4025584f8196504f4366668dc919c1c8cb52eea3742fdf8746748dae00bef4af0c606ebdd
SSDEEP

24576:iDv3cPduvcaRMi59YF7neQfxdIhjRT2Wrp:ij9kBi7kLeQydT2Wrp

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1124	AutoHotkey.exe

Command and Scripting Interpreter: AutoHotKey 1 TTPs 1 IoCs

Using AutoHotKey for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
1124	AutoHotkey.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3640	powershell.exe
3640	powershell.exe
1124	AutoHotkey.exe
1124	AutoHotkey.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2480	7zG.exe
Token: 35	2480	7zG.exe
Token: SeSecurityPrivilege	2480	7zG.exe
Token: SeSecurityPrivilege	2480	7zG.exe
Token: SeDebugPrivilege	3640	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2480	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 1124	3640	powershell.exe	96
PID 3640 wrote to memory of 1124	3640	powershell.exe	96
PID 3640 wrote to memory of 1124	3640	powershell.exe	96

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2.zip
1⤵
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2\" -spe -an -ai#7zMap15083:212:7zEvent1684
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2\AutoHotkey.exe
  "C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2\AutoHotkey.exe" script.ahk
  2⤵
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoHotKey
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2\script.ahk

Filesize
441B

MD5
334f3fd6c9fe35fa7d5e7d2780d636ee

SHA1
127f6bc9b9a42bf7036c3f39d66c87d32cddeaa2

SHA256
1c4d704dcf8a341a8a6129743b1eb84681d53c4459cdb62fe2954e41adfed961

SHA512
03389f83f96d6641e60003b6787a2f2726fc0affb6de9b9f92512fc79c49ca1c8d5448e3111f696ca1aa1c2b7268017f819e56292e8a3ed7d2d5f9224efb8e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c_2\test.txt

Filesize
930KB

MD5
09d0df57b9e2d00852322828d9791bec

SHA1
9c31734e88aaa19934cfd490a088d1d255103db7

SHA256
51163c6eb169dfe30ebdbdc3193c25ecb264b7bd6e2e250be9824563f383464f

SHA512
11479b5c09a3bb0b0216908895b7f6c6f6f640fc493b7463402ce796c3cd54bfca8443e8889f5a4f352d830074c08c6e75035618ee17db4f144023b853709ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ihni1no.gwo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3640-17-0x0000015F3B0A0000-0x0000015F3B0C2000-memory.dmp

Filesize
136KB

Download
memory/3640-18-0x0000015F3D5E0000-0x0000015F3D624000-memory.dmp

Filesize
272KB

Download
memory/3640-19-0x0000015F3D6B0000-0x0000015F3D726000-memory.dmp

Filesize
472KB

Download