c061c96731078f03bfee42a84070cd6f4319a99e2eb17c3e730967152646b570

Resubmissions

03-07-2024 15:25

240703-stqqgswapb 3

03-07-2024 15:19

240703-sqgy6svfqh 3

Analysis

max time kernel
15s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-07-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExecutableScriptsLabel.exe
Size

36.1MB
MD5

65f340057b5ecd866c624f3c93a33c61
SHA1

32c66b6bda9eeb80421268ef460545ed3cdaeab8
SHA256

c061c96731078f03bfee42a84070cd6f4319a99e2eb17c3e730967152646b570
SHA512

8fce464f5a1620451c26ebc817810bf6000f61d47409bd8e5c4b91c8c7552ceea9aeb1ffa11d531cf65ecc96f6e67ff9b9cfeef09464b563314c1cff2b0c3dde
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfp:fMguj8Q4Vfv0qFTrYH

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2168	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeIncreaseQuotaPrivilege	688	WMIC.exe
Token: SeSecurityPrivilege	688	WMIC.exe
Token: SeTakeOwnershipPrivilege	688	WMIC.exe
Token: SeLoadDriverPrivilege	688	WMIC.exe
Token: SeSystemProfilePrivilege	688	WMIC.exe
Token: SeSystemtimePrivilege	688	WMIC.exe
Token: SeProfSingleProcessPrivilege	688	WMIC.exe
Token: SeIncBasePriorityPrivilege	688	WMIC.exe
Token: SeCreatePagefilePrivilege	688	WMIC.exe
Token: SeBackupPrivilege	688	WMIC.exe
Token: SeRestorePrivilege	688	WMIC.exe
Token: SeShutdownPrivilege	688	WMIC.exe
Token: SeDebugPrivilege	688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	688	WMIC.exe
Token: SeRemoteShutdownPrivilege	688	WMIC.exe
Token: SeUndockPrivilege	688	WMIC.exe
Token: SeManageVolumePrivilege	688	WMIC.exe
Token: 33	688	WMIC.exe
Token: 34	688	WMIC.exe
Token: 35	688	WMIC.exe
Token: 36	688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	688	WMIC.exe
Token: SeSecurityPrivilege	688	WMIC.exe
Token: SeTakeOwnershipPrivilege	688	WMIC.exe
Token: SeLoadDriverPrivilege	688	WMIC.exe
Token: SeSystemProfilePrivilege	688	WMIC.exe
Token: SeSystemtimePrivilege	688	WMIC.exe
Token: SeProfSingleProcessPrivilege	688	WMIC.exe
Token: SeIncBasePriorityPrivilege	688	WMIC.exe
Token: SeCreatePagefilePrivilege	688	WMIC.exe
Token: SeBackupPrivilege	688	WMIC.exe
Token: SeRestorePrivilege	688	WMIC.exe
Token: SeShutdownPrivilege	688	WMIC.exe
Token: SeDebugPrivilege	688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	688	WMIC.exe
Token: SeRemoteShutdownPrivilege	688	WMIC.exe
Token: SeUndockPrivilege	688	WMIC.exe
Token: SeManageVolumePrivilege	688	WMIC.exe
Token: 33	688	WMIC.exe
Token: 34	688	WMIC.exe
Token: 35	688	WMIC.exe
Token: 36	688	WMIC.exe
Token: SeDebugPrivilege	2168	taskkill.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 968	64	ExecutableScriptsLabel.exe	74
PID 64 wrote to memory of 968	64	ExecutableScriptsLabel.exe	74
PID 968 wrote to memory of 2004	968	cmd.exe	75
PID 968 wrote to memory of 2004	968	cmd.exe	75
PID 968 wrote to memory of 3548	968	cmd.exe	76
PID 968 wrote to memory of 3548	968	cmd.exe	76
PID 3548 wrote to memory of 688	3548	powershell.exe	77
PID 3548 wrote to memory of 688	3548	powershell.exe	77
PID 3548 wrote to memory of 2168	3548	powershell.exe	79
PID 3548 wrote to memory of 2168	3548	powershell.exe	79

C:\Users\Admin\AppData\Local\Temp\ExecutableScriptsLabel.exe
"C:\Users\Admin\AppData\Local\Temp\ExecutableScriptsLabel.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\system32\cmd.exe
  cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\ad01e643dfb1e68e9480973cafc758b1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\findstr.exe
    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\ad01e643dfb1e68e9480973cafc758b1.bat"
    3⤵
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\System32\Wbem\WMIC.exe
      "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:688
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgwuhtij.t3e.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad01e643dfb1e68e9480973cafc758b1.bat

Filesize
3.4MB

MD5
5eb1a9aaf85061d289df8c1365162da1

SHA1
4ecda126d9d5c4a95404cefeb978bf34fb5b4c4b

SHA256
3f2fa9af7417b0a5f96b91cb957a5e60ff48f8f554c60a114a000ef5fe90fafe

SHA512
fea9efa4f3ffec4cfc2cb97939e5ef6a753a57f01ce16f81add7a4286bab3672ab645f230b613e5d104ae35d66371e20a538582bbaf933626cc57831f0b10b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotNFDkQn.bat

Filesize
199B

MD5
aac1be3594c6c387fc97e3175e3f4c10

SHA1
46e4e5ac11b012b7e2dfd11937bb0642e7f6d000

SHA256
f1d34cb18c7256a00fbb1f1d311ca987cb785c772856e87b1e9a8f235946a12d

SHA512
0ea2a02ff22f98b69efb6e8912803577d5d029abdb04da3d7cc2473e8351e2524ab7fbfe9aa79889b3f9bad13f09a6d3dab61863cad069b6894132138dbf01ee

Download Submit
memory/3548-17-0x00007FFA937F3000-0x00007FFA937F4000-memory.dmp

Filesize
4KB

Download
memory/3548-19-0x0000019664580000-0x00000196645A2000-memory.dmp

Filesize
136KB

Download
memory/3548-21-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp

Filesize
9.9MB

Download
memory/3548-23-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp

Filesize
9.9MB

Download
memory/3548-24-0x000001967CD10000-0x000001967CD86000-memory.dmp

Filesize
472KB

Download
memory/3548-38-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp

Filesize
9.9MB

Download