ca7a8be040371db76cadba7e926c9d98ab61a8b8e7e6d39f6e015fca6cb5bab4

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dstream.log.exe
Size

4.9MB
MD5

fb1d8d0ba73b7d30b38057853705b160
SHA1

5b36e28d52a1ac061a0653d23baf5277cb543568
SHA256

ca7a8be040371db76cadba7e926c9d98ab61a8b8e7e6d39f6e015fca6cb5bab4
SHA512

4b1937788cd7d7d328a529f693f1eb9247eeab122729343e9a076f552d8a7ef0d0fa5f1fdf78747f4b2c071b61b5ab644bf2733076fe2c62031a7f47f4622ed2
SSDEEP

98304:25LWJ3+vTtkBZQnyFNT3FPfJ6DFkhyzQjh5/5IAOP/Q:25LWVCnoZ38DzQ15/5IVXQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4492	rundatastream.exe

Loads dropped DLL 2 IoCs

pid	Process
4492	rundatastream.exe
4492	rundatastream.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\image3.jpg:msupdate.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	powershell.exe
408	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 35	4492	rundatastream.exe
Token: SeDebugPrivilege	408	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4492	4228	dstream.log.exe	81
PID 4228 wrote to memory of 4492	4228	dstream.log.exe	81
PID 4492 wrote to memory of 3468	4492	rundatastream.exe	82
PID 4492 wrote to memory of 3468	4492	rundatastream.exe	82
PID 4492 wrote to memory of 2712	4492	rundatastream.exe	84
PID 4492 wrote to memory of 2712	4492	rundatastream.exe	84
PID 4492 wrote to memory of 3572	4492	rundatastream.exe	86
PID 4492 wrote to memory of 3572	4492	rundatastream.exe	86
PID 3572 wrote to memory of 408	3572	cmd.exe	88
PID 3572 wrote to memory of 408	3572	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\dstream.log.exe
"C:\Users\Admin\AppData\Local\Temp\dstream.log.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Local\Temp\onefile_4228_133646284412960338\rundatastream.exe
  "C:\Users\Admin\AppData\Local\Temp\dstream.log.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"
    3⤵
    - NTFS ADS
    PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del msupdate.exe"
    3⤵
    PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell .\image3.jpg:msupdate.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxkylvbv.atq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4228_133646284412960338\python37.dll

Filesize
3.6MB

MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4228_133646284412960338\rundatastream.exe

Filesize
4.9MB

MD5
1a57e40a51fbfbda36dbcb8f7f107f05

SHA1
5ec003e5a626809b6f3e8a0fcb7a58b5052ec0ee

SHA256
824a954ba7d3527e06a20af8b81aac9f7546250bdfd8326c2b05d6f297a1a347

SHA512
7b779ddd54c733f1a77b70ed9dc14f195ebe63bd0f2db02c47be7fa2c1f71455632760c3d6a370cf0a1137ef21b043421886307631923bc9d00064d0641bc533

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4228_133646284412960338\vcruntime140.dll

Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
memory/408-44-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

Filesize
8KB

Download
memory/408-54-0x00000208F5DA0000-0x00000208F5DC2000-memory.dmp

Filesize
136KB

Download
memory/408-55-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/408-56-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/408-59-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download