Analysis Overview
SHA256
def65e96cc82352b542ac1bccde082f117bf289e3694aeb6485133c9f1f06dfd
Threat Level: Likely benign
The file Check-Nahimic.ps1 was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Command and Scripting Interpreter: PowerShell
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:29
Reported
2024-06-13 08:34
Platform
win11-20240611-en
Max time kernel
270s
Max time network
273s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\diskmgmt.msc | C:\Windows\system32\mmc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Check-Nahimic.ps1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompareConvertFrom.mpeg"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.73:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 13.89.179.11:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| US | 150.171.22.254:443 | ln-ring.msedge.net | tcp |
| US | 52.108.8.254:443 | wac-ring.msedge.net | tcp |
| US | 152.199.19.161:443 | fp-vp-nocache.azureedge.net | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| GB | 2.18.66.73:443 | tcp | |
| GB | 2.18.66.73:443 | tcp | |
| BR | 191.233.176.51:443 | 4d6f579a107a8b8692f346eaeb6d2b5d.azr.footprintdns.com | tcp |
| US | 131.253.33.254:443 | a-ring-fallback.msedge.net | tcp |
| US | 20.140.151.75:443 | fp-afd.azurefd.us | tcp |
| SE | 20.91.200.215:443 | ea144c330dd5fd6a913a238ae4784691.azr.footprintdns.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| US | 13.89.179.11:443 | browser.pipe.aria.microsoft.com | tcp |
Files
memory/1508-0-0x00007FFD90573000-0x00007FFD90575000-memory.dmp
memory/1508-3-0x0000025AE9D30000-0x0000025AE9D52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lnaruk3.dy2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1508-10-0x00007FFD90570000-0x00007FFD91032000-memory.dmp
memory/1508-11-0x00007FFD90570000-0x00007FFD91032000-memory.dmp
memory/1508-12-0x00007FFD90570000-0x00007FFD91032000-memory.dmp
memory/1508-13-0x0000025AE9DE0000-0x0000025AE9DFC000-memory.dmp
memory/1508-14-0x0000025AE9E00000-0x0000025AE9E0A000-memory.dmp
memory/1508-15-0x0000025AE9E70000-0x0000025AE9E96000-memory.dmp
memory/1508-18-0x00007FFD90570000-0x00007FFD91032000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | e0236413295e49948baeeb46d884acef |
| SHA1 | c24f80184264ef596722c1a84b8dedde9bdad557 |
| SHA256 | 11af5d1895a6e5952ebf08f72ad5121d828a5e2f8dc0656875d527e886ca54e8 |
| SHA512 | d99fd945c37dee141ea4e4f2e2460f482230bb679d8a63131348685a7dbebce074c9543161672fc525cd0c84d41d29e2ee78f6e3a7b8f7d18ca40eefcb95e5c6 |
memory/1416-31-0x00007FF6B9730000-0x00007FF6B9828000-memory.dmp
memory/1416-32-0x00007FFD97EB0000-0x00007FFD97EE4000-memory.dmp
memory/1416-37-0x00007FFD96B80000-0x00007FFD96B97000-memory.dmp
memory/1416-40-0x00007FFD91180000-0x00007FFD91191000-memory.dmp
memory/1416-39-0x00007FFD959E0000-0x00007FFD959FD000-memory.dmp
memory/1416-41-0x00007FFD8F0D0000-0x00007FFD8F2DB000-memory.dmp
memory/1416-33-0x00007FFD8F510000-0x00007FFD8F7C6000-memory.dmp
memory/1416-38-0x00007FFD95A00000-0x00007FFD95A11000-memory.dmp
memory/1416-35-0x00007FFDA15D0000-0x00007FFDA15E7000-memory.dmp
memory/1416-36-0x00007FFDA0AB0000-0x00007FFDA0AC1000-memory.dmp
memory/1416-34-0x00007FFDAA390000-0x00007FFDAA3A8000-memory.dmp
memory/1416-52-0x00007FFD8DF10000-0x00007FFD8DF40000-memory.dmp
memory/1416-51-0x00007FFD8DF40000-0x00007FFD8DF58000-memory.dmp
memory/1416-44-0x00007FFD91150000-0x00007FFD91171000-memory.dmp
memory/1416-50-0x00007FFD8DF60000-0x00007FFD8DF71000-memory.dmp
memory/1416-49-0x00007FFD8DF80000-0x00007FFD8DF9B000-memory.dmp
memory/1416-48-0x00007FFD8DFA0000-0x00007FFD8DFB1000-memory.dmp
memory/1416-47-0x00007FFD8DFC0000-0x00007FFD8DFD1000-memory.dmp
memory/1416-46-0x00007FFD8DFE0000-0x00007FFD8DFF1000-memory.dmp
memory/1416-45-0x00007FFD8E000000-0x00007FFD8E018000-memory.dmp
memory/1416-43-0x00007FFD8FF50000-0x00007FFD8FF91000-memory.dmp
memory/1416-57-0x00007FFD8D7F0000-0x00007FFD8D888000-memory.dmp
memory/1416-56-0x00007FFD8DDA0000-0x00007FFD8DDF7000-memory.dmp
memory/1416-55-0x00007FFD8DE00000-0x00007FFD8DE11000-memory.dmp
memory/1416-54-0x00007FFD8DE20000-0x00007FFD8DE9C000-memory.dmp
memory/1416-53-0x00007FFD8DEA0000-0x00007FFD8DF07000-memory.dmp
memory/1416-42-0x0000025B87070000-0x0000025B88120000-memory.dmp