80cc0c3d5c075dba274e828d2acc448c2362448347369b338e2f3d6d2a1a4234

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0440f28a72cf8fdb47ba7ba0b8ff17a.exe
Size

31.3MB
MD5

f0440f28a72cf8fdb47ba7ba0b8ff17a
SHA1

eefa865579e047a33508c2485c30ca5afbe65c11
SHA256

80cc0c3d5c075dba274e828d2acc448c2362448347369b338e2f3d6d2a1a4234
SHA512

f873908371f44631069e22e33151c0b2be041001d7b62c98d42fdd7516196d601bb9720e6e489f1ccfc6f70b31cf27cd3916b2a96584744ee7e1101f4bae8c28
SSDEEP

786432:9O8RogMHVQ/uw0jumEGVHgZPUM4/EA+rpBa2PKh:9O8qG/cuGVAZ+MHrpBar

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4036	powershell.exe
2788	powershell.exe
4296	powershell.exe
4768	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0440f28a72cf8fdb47ba7ba0b8ff17a.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4036	powershell.exe
4036	powershell.exe
2788	powershell.exe
2788	powershell.exe
4296	powershell.exe
4296	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
4296	powershell.exe
4296	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2984	OpenWith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 644	1664	f0440f28a72cf8fdb47ba7ba0b8ff17a.exe	91
PID 1664 wrote to memory of 644	1664	f0440f28a72cf8fdb47ba7ba0b8ff17a.exe	91
PID 644 wrote to memory of 4036	644	cmd.exe	93
PID 644 wrote to memory of 4036	644	cmd.exe	93
PID 644 wrote to memory of 2788	644	cmd.exe	95
PID 644 wrote to memory of 2788	644	cmd.exe	95
PID 2788 wrote to memory of 4296	2788	powershell.exe	96
PID 2788 wrote to memory of 4296	2788	powershell.exe	96
PID 4296 wrote to memory of 3240	4296	powershell.exe	98
PID 4296 wrote to memory of 3240	4296	powershell.exe	98
PID 4296 wrote to memory of 2428	4296	powershell.exe	99
PID 4296 wrote to memory of 2428	4296	powershell.exe	99
PID 4296 wrote to memory of 4768	4296	powershell.exe	100
PID 4296 wrote to memory of 4768	4296	powershell.exe	100
PID 4296 wrote to memory of 3848	4296	powershell.exe	105
PID 4296 wrote to memory of 3848	4296	powershell.exe	105

C:\Users\Admin\AppData\Local\Temp\f0440f28a72cf8fdb47ba7ba0b8ff17a.exe
"C:\Users\Admin\AppData\Local\Temp\f0440f28a72cf8fdb47ba7ba0b8ff17a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c LibreScore.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\version.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& {exit ( Start-Process -Wait -PassThru -FilePath PowerShell.exe -WindowStyle Hidden -ArgumentList '-WindowStyle Hidden -ExecutionPolicy Bypass -Command ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.ps1; exit $LASTEXITCODE"" ' -Verb RunAs).ExitCode}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.ps1; exit $LASTEXITCODE
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\system32\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore root 20d296c383401e8d40c30df9f6928d72
        5⤵
        
        PID:3240
    - - C:\Windows\system32\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -addstore root C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.cer
        5⤵
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Invoke-Item 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.msix'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\system32\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -delstore root 20d296c383401e8d40c30df9f6928d72
        5⤵
        
        PID:3848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38626e78f952256a721176512a7f8c26

SHA1
70636067d2b0ec031d6912faba82a8665fa54a08

SHA256
ce79b9265cd36fec49cda6c92664354a8b6448bcf28bc13ff8b318b3b80c756d

SHA512
49005e71061285d59144a8551bb9b317694a64b383c64ec6e3c34308371a95b8fbac7356c2a8eb15477030f9aee10b347bca4f95601ba4b262eb3df0ec22c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
421272b37c814e58cb34e84c4bf621f8

SHA1
3b24c81d08fe0ebae60ee8d9fd7ab9421dc74057

SHA256
376f1abfb8caf7f74363a99e71fa5be80a3b9cd2cd394eda98f12364f198a075

SHA512
0d4a06a52fd46165d1296438550341bf25068cb9e58696096fe89f1adb70c52bb8752ea178453a82e963967215b50b22d6a8333e3074cb5cbf56ff6524df1f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
367b1c81198bfdcdba813c2c336627a3

SHA1
37fe6414eafaaed4abb91c1aafde62c5b688b711

SHA256
1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

SHA512
e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.bat

Filesize
540B

MD5
b534ab3e3040ac92c62f9006cabb7a66

SHA1
d11c17f69da819d3fdfa18a92319e18703b1352d

SHA256
57d489860e84e5df6f7137b3b23f92ad0acd3fe2085df6d538d75b295faed875

SHA512
2ed7d6463d25112838d1a9eae8e56957039c3efdcf9aa8c05e9c73e37308708e5812d1e683ae5af6b1f99a5700b9e265752200d8ed6b9bdcf2016be71c3702b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.cer

Filesize
882B

MD5
349296b36790ddcf2ebcbe0bc2550358

SHA1
957bbcf3c4963baade35d627206a668278835666

SHA256
8217fbe5faf4280097786850f2e25a6d2c277419d22640ebd5b2a3815bb4f021

SHA512
defedf1ac4fa700b48a7959704fce2b5a39f3ce0d51b80bf9b31b68606272bfc98b9d44622ff7d9fa887eaadb64003b71ce5d911799e2996d4ce4b70cbf567a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.msix

Filesize
17.7MB

MD5
a9616f579bba2548e2d899d2867ebcfb

SHA1
a1b1eeea808bb66a3e850fb8b422997ea59bddf3

SHA256
ed4fd4191b23505ec8cd375b6d7b59a3cd33fec877d4ee0ed19a8389deac60eb

SHA512
e79e5f6ccac9cd0cda46428ae49ebcf7741f0b790f6392146cf7a2de5427c9c76f1cb172984c8afb35aed14933828153266d689a10472a082d0e702ed09e6ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LibreScore.ps1

Filesize
1KB

MD5
5fbdde5c06c9de8f860c344b02762bc6

SHA1
741f77dbb4fdd0ea0381b02cda66f4b52e9c1d63

SHA256
c52c684f143d284e2a6c5125418573fb011a2e932084277535d7501386a6dae1

SHA512
36dec3fc7722721e003f535da3c74a56de3f7f376ab31afad009bbd176c6a0e5f92d9b233554a855d4546243a24c221bcb84a7099b331ec0638dbdb1c229966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\version.ps1

Filesize
229B

MD5
ff03e7abf5bd7092f0aaf2e1167f0269

SHA1
0433d75121835f319c8f0c377c5af633289e8725

SHA256
9f323c610e45665a94ebbbf539f3e70ec673317f718b06fbbba9309819645cf7

SHA512
5711d4de1f06520a002be579ba8aa44093e4a827b8615e29125a163f5f8c224df7515c34cc00d7c8768b88e4b767b39e2ef71dc3fa5ae66119e2138ca2231426

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpko1rug.klr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4036-29-0x00007FFAD0660000-0x00007FFAD1121000-memory.dmp

Filesize
10.8MB

Download
memory/4036-26-0x00007FFAD0660000-0x00007FFAD1121000-memory.dmp

Filesize
10.8MB

Download
memory/4036-24-0x00007FFAD0660000-0x00007FFAD1121000-memory.dmp

Filesize
10.8MB

Download
memory/4036-14-0x000001C1FC180000-0x000001C1FC1A2000-memory.dmp

Filesize
136KB

Download
memory/4036-13-0x00007FFAD0663000-0x00007FFAD0665000-memory.dmp

Filesize
8KB

Download