Overview

overview

10

Static

static

10

Winget-Aut...r.psd1

windows7-x64

1

Winget-Aut...r.psd1

windows10-2004-x64

1

Winget-Aut...ui.ps1

windows7-x64

3

Winget-Aut...ui.ps1

windows10-2004-x64

8

Winget-Aut...ll.ps1

windows7-x64

3

Winget-Aut...ll.ps1

windows10-2004-x64

8

Winget-Aut...un.ps1

windows7-x64

3

Winget-Aut...un.ps1

windows10-2004-x64

3

Winget-Aut...es.ps1

windows7-x64

3

Winget-Aut...es.ps1

windows10-2004-x64

3

Winget-Aut...ll.ps1

windows7-x64

3

Winget-Aut...ll.ps1

windows10-2004-x64

3

Winget-Aut...ll.ps1

windows7-x64

3

Winget-Aut...ll.ps1

windows10-2004-x64

3

Winget-Aut...fy.ps1

windows7-x64

3

Winget-Aut...fy.ps1

windows10-2004-x64

3

Winget-Aut...de.ps1

windows7-x64

3

Winget-Aut...de.ps1

windows10-2004-x64

8

Winget-Aut...ne.ps1

windows7-x64

3

Winget-Aut...ne.ps1

windows10-2004-x64

3

Winget-Aut...ut.ps1

windows7-x64

3

Winget-Aut...ut.ps1

windows10-2004-x64

3

Winget-Aut...on.ps1

windows7-x64

3

Winget-Aut...on.ps1

windows10-2004-x64

3

Winget-Aut...py.ps1

windows7-x64

3

Winget-Aut...py.ps1

windows10-2004-x64

3

Winget-Aut...fo.ps1

windows7-x64

3

Winget-Aut...fo.ps1

windows10-2004-x64

3

Winget-Aut...ps.ps1

windows7-x64

3

Winget-Aut...ps.ps1

windows10-2004-x64

3

Winget-Aut...ps.ps1

windows7-x64

3

Winget-Aut...ps.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Winget-AutoUpdate-main/Sources/WAU/Winget-AutoUpdate-Install.ps1

  • Size

    26KB

  • MD5

    07ba0c8cce815a8d50b1590814e1af3c

  • SHA1

    124b8ee99598c006767e9ec91af23036cb2acae0

  • SHA256

    b69b120f2d61b33f1c473f19f13901710adb4dd25143b1534e9a9d068a0dcf96

  • SHA512

    7a57de32f6d19a7188f493018f5e2da3757940fae8bda2d28e79817a34a70a50fb0cb38f09987073b042e28ee8a6ca03292fe137a8505cb2bf22ba054082a242

  • SSDEEP

    384:U571+QE7EqAxcK6F4/8yw6IVBUOoZWtkrqM+Y7Ml2Q3ZlPnYnqwxQKCDcmIt:G71JxcK6F4/8yIYqKQK+cVt

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Winget-AutoUpdate-main\Sources\WAU\Winget-AutoUpdate-Install.ps1
    1⤵
    • Blocklisted process makes network request
    • Drops file in Windows directory
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3384
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      2⤵
        PID:1184
      • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\dismhost.exe
        C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\dismhost.exe {F48E53AA-5CEB-4BD4-ACCC-919C6B3AA7A4}
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:3600
      • C:\Users\Admin\AppData\Local\Temp\14AFD250-C65F-4338-B50B-8C28D58F30B4\dismhost.exe
        C:\Users\Admin\AppData\Local\Temp\14AFD250-C65F-4338-B50B-8C28D58F30B4\dismhost.exe {9FF88BE2-3A80-45D1-8ABE-FA003D91075E}
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
      1⤵
        PID:1288
      • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
        "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2184
      • C:\Windows\system32\wwahost.exe
        "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4292
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s dmwappushservice
        1⤵
          PID:2232

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.~tmp
          Filesize

          104KB

          MD5

          effecce1b6868c8bd7950ef7b772038b

          SHA1

          695d5a07f59b4b72c5eca7be77d5b15ae7ae59b0

          SHA256

          003e619884dbc527e20f0aa8487daf5d7eed91d53ef6366a58c5493aaf1ce046

          SHA512

          2f129689181ffe6fff751a22d4130bb643c5868fa0e1a852c434fe6f7514e3f1e5e4048179679dec742ec505139439d98e6dcc74793c18008db36c800d728be2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\AppxProvider.dll
          Filesize

          554KB

          MD5

          a7927846f2bd5e6ab6159fbe762990b1

          SHA1

          8e3b40c0783cc88765bbc02ccc781960e4592f3f

          SHA256

          913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

          SHA512

          1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\DismCorePS.dll
          Filesize

          183KB

          MD5

          a033f16836d6f8acbe3b27b614b51453

          SHA1

          716297072897aea3ec985640793d2cdcbf996cf9

          SHA256

          e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

          SHA512

          ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\DismHost.exe
          Filesize

          142KB

          MD5

          e5d5e9c1f65b8ec7aa5b7f1b1acdd731

          SHA1

          dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

          SHA256

          e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

          SHA512

          7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\LogProvider.dll
          Filesize

          77KB

          MD5

          815a4e7a7342224a239232f2c788d7c0

          SHA1

          430b7526d864cfbd727b75738197230d148de21a

          SHA256

          a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

          SHA512

          0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\OSProvider.dll
          Filesize

          149KB

          MD5

          db4c3a07a1d3a45af53a4cf44ed550ad

          SHA1

          5dea737faadf0422c94f8f50e9588033d53d13b3

          SHA256

          2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

          SHA512

          5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E3BBE04C-5109-4667-A6BB-FF02B3566697\dismprov.dll
          Filesize

          255KB

          MD5

          490be3119ea17fa29329e77b7e416e80

          SHA1

          c71191c3415c98b7d9c9bbcf1005ce6a813221da

          SHA256

          ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

          SHA512

          6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft.UI.Xaml.2.8.x64.appx
          Filesize

          4.9MB

          MD5

          2d1c278a665a52f2498a442b0b1848bd

          SHA1

          a5fa9d96fe72d5cd885dab0b6f50a44ca82949a6

          SHA256

          249d2afb41cc009494841372bd6dd2df46f87386d535ddf8d9f32c97226d2e46

          SHA512

          07385a8952d6159d725eacedaa14488878b8657c43f7089cd5e10abc349950063393f53436c58026200d796c90bbf8b8c522694ccd1624b764ba393c5ff74a67

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydij3dve.1po.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Windows\Logs\DISM\dism.log
          Filesize

          229KB

          MD5

          40cab1cd4fd1f918a12b2617f8d0b666

          SHA1

          0b1d3dc621a8734e329a67d00e0f9301cfa43264

          SHA256

          97b77424d1fbc4a437a633474a895c2d3159f920347d039a9087cd5646dcd7e8

          SHA512

          f6dcf5186cf119b9703d214163ca81a1704f6912b59ee768521f3be5fe8959259baecd8faa0fff02df30f0ffb06b03994da4bbc67d77648b9d54002af528fa90

          Download Submit

        • C:\Windows\Logs\DISM\dism.log
          Filesize

          230KB

          MD5

          c339786a96fad56d64e296fe0af3d48c

          SHA1

          6992867f758fde4b502b44212bb822ecb6b8ef2c

          SHA256

          1f1dc8bc976efa2a6460c2ceae18c1c5cb561229c45cac37f348ab63bade6840

          SHA512

          863eaba05ce98a651f724e2121e22e7f3fafb589ee8ca2a3995e5133d099ef5da209819603699b722bde8379c4bf4b31cbf0ad2c61dc346e75352fc8e0faa70d

          Download Submit

        • C:\Windows\Logs\DISM\dism.log
          Filesize

          238KB

          MD5

          e41253d22c30dc4878c066b79e39ffd2

          SHA1

          bf75d6cfba55dde97c974e6c0470dd5f6177dcbc

          SHA256

          7db883c788e367a9ca7dec4b937b6c97c3504b33d17512feff7ac9643cda42a8

          SHA512

          a7189e7b8e74b6ec474636774083cfafb39ee18a2894553132b07e80d35938c3f15f47fc305eedcc0065ce501c62364d47aa1dfa4af49621890c8f6b401a5deb

          Download Submit

        • C:\Windows\Logs\DISM\dism.log
          Filesize

          255KB

          MD5

          4240ebc0b6b5b39d2af7e0b40e8dab3f

          SHA1

          babc2b428270f8b51f3100f4e6075aac2af38b09

          SHA256

          6822430113ea2c02931af4c286d07eeed0d507b1bbe3c37159eab9bcdbb4a729

          SHA512

          d21ab57bedac259829335f809acd74732568f5e83788db696c2ca5b90a3cf78fdd0aef0f7f454c7559fe76367cdafc863789376184212629fc132b5b718d1d64

          Download Submit

        • C:\Windows\Logs\DISM\dism.log
          Filesize

          298KB

          MD5

          fe2aa79cbfd8362391bee7e4cb05ac8a

          SHA1

          a19005d9159dfb788e7866cc61f28baed6eb3a46

          SHA256

          6d3b53603ea85a593de2503d541af6e6a8ae219aed8237788822fff3f75dbd1c

          SHA512

          75c8111f77f8d278a1323a9d738629150bb32525996b77ec9faff1f7d238cc0cc18ccb2d28ea5cfa9f5579ad84393d86a6551d5fa3a344ff1ce282d9eff5d967

          Download Submit

        • memory/2184-382-0x0000021959200000-0x0000021959449000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2184-380-0x000002193D8F0000-0x000002193D8FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2184-381-0x000002193DDE0000-0x000002193DDE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3384-375-0x000001B045B00000-0x000001B045CC2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3384-501-0x00007FFAA18E3000-0x00007FFAA18E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3384-22-0x000001B0452B0000-0x000001B0452D4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3384-376-0x000001B046200000-0x000001B046728000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3384-377-0x00007FFAA18E0000-0x00007FFAA23A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3384-15-0x000001B045060000-0x000001B045076000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3384-17-0x000001B045250000-0x000001B045276000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3384-0-0x00007FFAA18E3000-0x00007FFAA18E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3384-12-0x00007FFAA18E0000-0x00007FFAA23A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3384-16-0x000001B045080000-0x000001B04508A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3384-508-0x00007FFAA18E0000-0x00007FFAA23A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3384-509-0x00007FFAA18E0000-0x00007FFAA23A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3384-11-0x00007FFAA18E0000-0x00007FFAA23A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3384-10-0x000001B044DB0000-0x000001B044DD2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3384-951-0x000001B045960000-0x000001B04598A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3384-952-0x000001B045960000-0x000001B045984000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3384-958-0x00007FFAA18E0000-0x00007FFAA23A1000-memory.dmp

          Filesize

          10.8MB

          Download