Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/06/2024, 04:33
Static task
static1
Behavioral task
behavioral1
Sample
trigger.ps1
Resource
win11-20240611-en
General
-
Target
trigger.ps1
-
Size
5KB
-
MD5
1283a8dda20a7ee0d95bfb4137aca449
-
SHA1
522172f47a541b5951085e276a0a0afba1a541c0
-
SHA256
8fa77a5d324e475122b5d41cbec41632fcc5176765cee9e44beb94b65d95a3cb
-
SHA512
c9f47c8e1290cea48725e4bf87622dbc507f65a3953ef32bdc72416f1a7065bb6537734cf96f9817a83ce1932496257f98bd98a45ff19d6d829e047a6616f26f
-
SSDEEP
96:iy9RoMdK9QDoiIcnG+BUy0Y5nO+GKTZ3enFOoS+4grynmXVRhXaBk:nkWi9Ef5nOpKtkO5sQmABk
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
pid Process 2288 powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2288 powershell.exe 2288 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2288 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3168 MiniSearchHost.exe 2664 osk.exe 2664 osk.exe 2664 osk.exe 2664 osk.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1428 wrote to memory of 2664 1428 ATBroker.exe 97 PID 1428 wrote to memory of 2664 1428 ATBroker.exe 97
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2560
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3168
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4540
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:2980
-
C:\Windows\System32\ATBroker.exeC:\Windows\System32\ATBroker.exe /start osk1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD59a7af7f1f08f7de9da3ba647286ee5a6
SHA1d7a23961ba5f8c4242a03f20686ff516c2ae432c
SHA256dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b
SHA51264b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82