ac3377404ea713edb16b91b827bfd7fc1341e8ea9ab79212f88c0bb583f7b748

Resubmissions

15/07/2024, 13:09

240715-qd7b7asflp 7

15/07/2024, 13:07

240715-qcynnasfkl 7

Analysis

max time kernel
133s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc.exe
Size

90KB
MD5

53fb50eee42db9b52aa73876c7e63528
SHA1

0f45f4a4e4cd72ef424dc2817f533fc4abbb63fc
SHA256

b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc
SHA512

2d0d9906d86b815865abf6e6a56800e35f3badc1710aee32325b235786e25a82f000b0179911d8cfcc53355c99fa73855e7c9ee85767c6e5e386cb00a828de1b
SSDEEP

1536:OPz4pageYCousZFCvcQHMX0D4C+cbObCB06+:kzkag2xnHpD4/cKbCu6+

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4608	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4608	4740	b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc.exe	72
PID 4740 wrote to memory of 4608	4740	b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc.exe	72
PID 4740 wrote to memory of 4608	4740	b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc.exe	72
PID 4608 wrote to memory of 5084	4608	powershell.exe	74
PID 4608 wrote to memory of 5084	4608	powershell.exe	74
PID 4608 wrote to memory of 5084	4608	powershell.exe	74
PID 5084 wrote to memory of 2280	5084	csc.exe	75
PID 5084 wrote to memory of 2280	5084	csc.exe	75
PID 5084 wrote to memory of 2280	5084	csc.exe	75
PID 4608 wrote to memory of 836	4608	powershell.exe	76
PID 4608 wrote to memory of 836	4608	powershell.exe	76
PID 4608 wrote to memory of 836	4608	powershell.exe	76
PID 836 wrote to memory of 4376	836	csc.exe	77
PID 836 wrote to memory of 4376	836	csc.exe	77
PID 836 wrote to memory of 4376	836	csc.exe	77

C:\Users\Admin\AppData\Local\Temp\b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc.exe
"C:\Users\Admin\AppData\Local\Temp\b4d1a384ce4dd9d1804df4ff0cf5768f416fd658c3f648f334f68d040cfe53fc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Unity\paw.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5se4ziwj\5se4ziwj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DFC.tmp" "c:\Users\Admin\AppData\Local\Temp\5se4ziwj\CSC522CBB12F302420FBE75E7B58CE571E8.TMP"
      4⤵
      PID:2280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ih5k4nux\ih5k4nux.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F44.tmp" "c:\Users\Admin\AppData\Local\Temp\ih5k4nux\CSC4CE4B21E835A4967B6AC579819D8A32.TMP"
      4⤵
      PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5se4ziwj\5se4ziwj.dll

Filesize
3KB

MD5
fbc1676d9e4ec98bdaef15274f44c9ee

SHA1
611c80abea60399a3d93230922a5f62d82177c59

SHA256
ee6a2a0389aabbce1711860a8cbcf8bd8cfb820e98417de716794c790d8356e0

SHA512
b5be0b3931bfaac5512e09dbe7758fc0eb8b1acc9f5dabc827cf56c3f1241c635ac826f7070549bdca31e09e5c099fca257828a0c232ed3ea0305d041e5cecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6DFC.tmp

Filesize
1KB

MD5
546bc822c967167292e302ed2b7f31eb

SHA1
332f0da4a9f59da6f69e95ee00069b475561f3be

SHA256
3197d670382b6aa4a572854e96ff100fed461299fd94f4b2df73353ed730aa94

SHA512
c3ff901c7746ed0b23f441987886282cf3a54da25f3063136d9fff666b1ab1e2951fa5d6b102d8ff1f8540e72045e129e1bb2e7d15a13a575eb1e24aa095387e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F44.tmp

Filesize
1KB

MD5
b524902f321e1e97a3acd70ca86eb447

SHA1
7607b2b0b8a9c7fc91e53e67056de99a6399b071

SHA256
352bb300f20708ad8b0a1b13d7c94d599d92a79adb8037f99b3d86d479f92cc1

SHA512
50e6065e79ac14d352aee52840894660353441089f80cbc07f6c2ce7fa2f45312f66be9a6d533a366887b6ecb31fefa816344f103f0ba0d8aa886784642f614b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unity\paw.ps1

Filesize
27KB

MD5
00edf5404b5d93b75a3a6dafc4da1d37

SHA1
56a5f0aec4ee03a1f8d0c8efc4b4cd9fa427efc8

SHA256
c279e78306f5f6dd14d70267c95bdedb5779041f5b629323ecaddb146a249147

SHA512
c103e30ced01ec046a2e2e9b2337dea5a10950aa0b35c306f1b089033f8a5a15152dfd0b60e407a4952a8e99c2796d4035b9d5a419525dd1c4e1d95ba71cbf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fyc4lmnu.blj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ih5k4nux\ih5k4nux.dll

Filesize
3KB

MD5
bd1a26f51426dff13d0c19f157f0e44f

SHA1
fab05393a2755142a5798a00af4bd9a260042a34

SHA256
9c5f1e2de3c603623d7f8e270b61dd684f53004c484093356111313d9cef9227

SHA512
bd636382647b81832a1b744bf672d309e664af6930dc72774610b09b7622b2f16728d9d406f86fac707d38aed7c652a0d9b61636beb5b8fc6e4b8d4d8a8a01f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5se4ziwj\5se4ziwj.0.cs

Filesize
298B

MD5
d2dd7b143c5631aa598407bbe81ef5db

SHA1
a5c77b81db6300d7a7eb424875c96e2611d42d83

SHA256
b3ccd5d9083909c89f8201c421434ec38280c051597b5414559c1df7fcf31cfe

SHA512
bd2cc89e16b2d9ffee6e8e32c9474acd2ba1f9db187b26aa0c9dbde8b7e58476e96756cb6d6d46e8b18b7e1c936d4febc093196e690e35f2002c7da6331fbb62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5se4ziwj\5se4ziwj.cmdline

Filesize
369B

MD5
c6ef48de5a529e368f4715c1dfe6c2cb

SHA1
d743adffc0ab5768690d4b76c193a37378812ad7

SHA256
3c60a2fd55b932ba7a4a0282670ad1109f707da2e069c884be04d979d7d8f8f1

SHA512
c1ca524c2198089bb93abf72bc630ffae423222a1c2342f9f2a0ee05dd7e1a69091bb43f86f4cc62110bbcf5f2adb6b224a140485603328695a46247d2d74aea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5se4ziwj\CSC522CBB12F302420FBE75E7B58CE571E8.TMP

Filesize
652B

MD5
55958c9f622b69b6039bb1d58d627fc1

SHA1
ce7135ba2faee19792c9d4387aa9ac31029c9ee5

SHA256
50d37173685927c18c45f88e206afaac363b1e6b81de69894ea81a3e8363e8b6

SHA512
63d61376eef7a7545827ed8ae855afe0ffee90f62c5e169139ada5b0ec7f75a7f9ad04575b6565af151e6111a4cfe0df4ff0c24d12e0034e61f26373a3e3767c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ih5k4nux\CSC4CE4B21E835A4967B6AC579819D8A32.TMP

Filesize
652B

MD5
cb2e69d91e9b90507f8049dc7992d069

SHA1
f4015203a4ac20ae10fc41e7de82e8ba4723c40f

SHA256
db4ac951d60c7bd88779a2ba3db88b7a2c3210437d3fe0b1946df4f5b421ebc1

SHA512
cf1db96a760d0e58951c6c24ab0b9aa516d30ec4726cfe5d8b27c7e76fd7c5948a779303ad35d0779612703d8798ca2de6a78f51bd67cf3fb85d3e3aa615e406

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ih5k4nux\ih5k4nux.0.cs

Filesize
304B

MD5
fcbd1ccfa38961c170df85c57bfada4b

SHA1
10c4078035fe757b71eeb9485461aaf0361b1fe1

SHA256
9012dc6d80e7a9aa0ab6d64b12d8ba708edd2f96891b8d0d9a5f32fb7104622d

SHA512
7437dbaa7473b8f9187ace9a1ab27a48bff50d21f3e6b7e7aaaf29543801e26e4d6e226be926525898be7c59b0d866fe53d6c0d13170726e4e014c3290fff707

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ih5k4nux\ih5k4nux.cmdline

Filesize
369B

MD5
b77b1d70cb4dbec390cfa8ee8a6a1157

SHA1
1b394115f0310dbd2fb81bb768407e00994a5dc4

SHA256
7955aa3dbe4e95cb7878c1ef3e063c9c2e9ac3abf224941ca829fa97ba9890b1

SHA512
afbc03c565b0468fcb18be3df4e94f7d8ae9804e02a3464556a1b763b670eba1dec0e94071f38ffb2a3c234a61a627c18c2b5fa1421b6b679a1aa619173a2df8

Download Submit
memory/4608-32-0x0000000008D70000-0x0000000008D8A000-memory.dmp

Filesize
104KB

Download
memory/4608-51-0x0000000008E80000-0x0000000008F14000-memory.dmp

Filesize
592KB

Download
memory/4608-5-0x0000000072A7E000-0x0000000072A7F000-memory.dmp

Filesize
4KB

Download
memory/4608-15-0x0000000007D60000-0x0000000007DD6000-memory.dmp

Filesize
472KB

Download
memory/4608-14-0x0000000007A60000-0x0000000007AAB000-memory.dmp

Filesize
300KB

Download
memory/4608-13-0x0000000006F50000-0x0000000006F6C000-memory.dmp

Filesize
112KB

Download
memory/4608-12-0x0000000007670000-0x00000000079C0000-memory.dmp

Filesize
3.3MB

Download
memory/4608-11-0x00000000075A0000-0x0000000007606000-memory.dmp

Filesize
408KB

Download
memory/4608-45-0x0000000008D90000-0x0000000008D98000-memory.dmp

Filesize
32KB

Download
memory/4608-31-0x00000000095B0000-0x0000000009C28000-memory.dmp

Filesize
6.5MB

Download
memory/4608-52-0x0000000008E10000-0x0000000008E32000-memory.dmp

Filesize
136KB

Download
memory/4608-53-0x0000000009C30000-0x000000000A12E000-memory.dmp

Filesize
5.0MB

Download
memory/4608-10-0x0000000006D10000-0x0000000006D76000-memory.dmp

Filesize
408KB

Download
memory/4608-9-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/4608-8-0x0000000006F70000-0x0000000007598000-memory.dmp

Filesize
6.2MB

Download
memory/4608-66-0x0000000008F30000-0x0000000008F38000-memory.dmp

Filesize
32KB

Download
memory/4608-7-0x0000000072A70000-0x000000007315E000-memory.dmp

Filesize
6.9MB

Download
memory/4608-6-0x0000000004660000-0x0000000004696000-memory.dmp

Filesize
216KB

Download
memory/4608-85-0x0000000072A70000-0x000000007315E000-memory.dmp

Filesize
6.9MB

Download