11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe
Size

1.9MB
MD5

f3c7cc02bf76362489b0fe8c35a9865c
SHA1

10319b1e54c0ab57d022d3f3c72adc36dd21e578
SHA256

11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158
SHA512

19e252faea4402ef26204e3e6967ffcfafa59ff123a72f404e2963356ad534840000dcb6c351b3840c2497945c33833659b8625008aa66084478ce346b401521
SSDEEP

24576:CMiCjNw14VaeynmsBBCA73pvxnCgQ8pS7du+Ec0xMke8JsU3AoUqqII+ke5F:JiCjNnVaeyPBBZQnPqqII+ke5F

Score

8^/10

execution ransomware

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3876	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3876	powershell.exe
2768	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\image_cg.jpg"	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3876	powershell.exe
3876	powershell.exe
2768	powershell.exe
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3224	4260	11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe	84
PID 4260 wrote to memory of 3224	4260	11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe	84
PID 3224 wrote to memory of 3876	3224	cmd.exe	85
PID 3224 wrote to memory of 3876	3224	cmd.exe	85
PID 3876 wrote to memory of 2768	3876	powershell.exe	88
PID 3876 wrote to memory of 2768	3876	powershell.exe	88
PID 3876 wrote to memory of 4752	3876	powershell.exe	90
PID 3876 wrote to memory of 4752	3876	powershell.exe	90
PID 4752 wrote to memory of 1212	4752	csc.exe	91
PID 4752 wrote to memory of 1212	4752	csc.exe	91

C:\Users\Admin\AppData\Local\Temp\11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe
"C:\Users\Admin\AppData\Local\Temp\11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% && powershell -ExecutionPolicy Bypass -win hidden -e JABjAG8AbQBtAGEAbgBkAD0AZwBjACAAJABlAG4AdgA6AHQAbQBwAFwAXABNAGkAYwByAG8AcwBvAGYAdABTAGUAcgB2AGkAYwBlAEMAcgBlAGEAdABpAG8AbgAuAHAAcwAxAA0ACgBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGMAbwBtAG0AYQBuAGQAKQApACAAfAAgAGkAZQB4AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -win hidden -e JABjAG8AbQBtAGEAbgBkAD0AZwBjACAAJABlAG4AdgA6AHQAbQBwAFwAXABNAGkAYwByAG8AcwBvAGYAdABTAGUAcgB2AGkAYwBlAEMAcgBlAGEAdABpAG8AbgAuAHAAcwAxAA0ACgBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGMAbwBtAG0AYQBuAGQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -win hidden -c echo I Am Running
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tuh1us2s\tuh1us2s.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF7A.tmp" "c:\Users\Admin\AppData\Local\Temp\tuh1us2s\CSCE03569035D7745508F2775247FCF476.TMP"
        5⤵
        
        PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99ba7637f1b1f43f52452e6dee3a8acc

SHA1
21fb0cfbc7d727dce44ec968c02f2c102c73bc64

SHA256
08ecd523c89de586d3dd5d9a166549e856d59fbea4ca855509a61117f1b79fea

SHA512
29e5571d19d5de8d8a06dbae57b530d88e017965c51c7d89f7ed9741991f0340d4b4db446f220588e9564853f73e5d325bac29da1b9677fe2775f0733c0ad65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceCreation.ps1

Filesize
109KB

MD5
327e0ca70e25c12a72ef70d7f8b0e31f

SHA1
53ba1fd74d073032768329d6aef18e9175a7a335

SHA256
240d9e25d72d9e2dc57767f863e322dde7083e733c6f7fbeb0596dec924627f5

SHA512
34df661350290e473943a8fe3527bb6c34b0cb36daf8be9753416edd3729a70ccc3eb0682eb7d16b72bb322b37e42e21a805ce5b2b2a26b83378f829ba944758

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF7A.tmp

Filesize
1KB

MD5
031d9a09f11cedcbd929e6d66559cb5a

SHA1
e3c5a181e79afb679c8e08ef41a0d33bb22542de

SHA256
50f96c658b30a202110f450a9eb6ac3f5927798aa64c351059f8f49e1d4209fe

SHA512
a9c879d5ee41a647a8b4d60875880545a94feb5eaa57450f75a2392cf4423e658f3caff88a1d8e91e77693271268db8392b1f77550c0acd527e01c62c7511e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpu0fpoc.ugk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuh1us2s\tuh1us2s.dll

Filesize
3KB

MD5
bab0ab978a2dae16afe3e463268f7b03

SHA1
d3047e1df955c35c52313b2000c0d94a45f133ce

SHA256
7bf325b734a3e44e96bb3c050114328517c7bf26f9354d301cedf41bd9fd4ad5

SHA512
f3dc897be08f924f40b23b7311e738aa2075e54c1b95b19dd26ae605fcfff57f29c22d7951e42a294a31fdddb63811fa919b7e018d1441e9c733b06fba210b5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuh1us2s\CSCE03569035D7745508F2775247FCF476.TMP

Filesize
652B

MD5
b5593be4b58468d1a0e5f13a6e8b3f42

SHA1
092d9a9044f9094fdcd8c36d99d35a601a1ec512

SHA256
292012b81d4b32e26ae242db502de4521f88c4479d9869b3a8352800a11dab1a

SHA512
97b033919a0db9764d803ed36ecb23f84062b50874d088ac9e8d1aca611a59f6a6b316c9493e2263c428ae4cdd41183a0ef6fd513d19d1a5b3448f4be6e48dc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuh1us2s\tuh1us2s.0.cs

Filesize
519B

MD5
d4c532592cb07068f25d64285900c40a

SHA1
3f16755ee21334f13d707b4099d16186e0319ae4

SHA256
6b6d2f48e21bfd5b98a75dad0e37391df9a8d887fa2cbf01d21ac19b2eb25bce

SHA512
39f684466fc1fd5c8eef96296dd42d12dfe9501d2e9249f22e7fb909970bf02a574cd75ffd77e82a5fcf8830b1db7cc65b796d672b62590e3f5f7746565c5726

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuh1us2s\tuh1us2s.cmdline

Filesize
369B

MD5
fd87dd407c0d585fd64aa06692f1fa70

SHA1
641d5bf04cba8880637d47860c5b086254bb3d10

SHA256
6183fda8a74eb110a4d2eeffbb734704b2ccfa1e3317d5edb11e7428d311f97c

SHA512
c3a13c244f1d189d39b587a8d46d71575d23fcc5144dc1fd89e5370daa24fe2aea31078611902a83a05f12c45a987b06d4f378239775e6002e69c47b19d709ba

Download Submit
memory/2768-29-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/2768-20-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/2768-28-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/2768-25-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/3876-13-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/3876-156-0x000002AD43600000-0x000002AD43608000-memory.dmp

Filesize
32KB

Download
memory/3876-1-0x00007FFF16E23000-0x00007FFF16E25000-memory.dmp

Filesize
8KB

Download
memory/3876-12-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/3876-2-0x000002AD2A5E0000-0x000002AD2A602000-memory.dmp

Filesize
136KB

Download
memory/3876-162-0x00007FFF16E20000-0x00007FFF178E1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-163-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download