b553cd19fefd923981b8a14685630f844f9c3ced2fc392b0fad76d216f7334da

Analysis

max time kernel
94s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

protect_distribution(1).exe
Size

6.9MB
MD5

cd6074780cfaf4208d8c7b0a65bad011
SHA1

8b40ba92e46409f31186cb865f602d866fe04bd4
SHA256

b553cd19fefd923981b8a14685630f844f9c3ced2fc392b0fad76d216f7334da
SHA512

a5e02a6b52886ecda98199f27395122e5ddec03ef48954b77c9d4fd50b38f865c5474fcda1412cb5e1c287179f0c05acbbea2013d068157bdeb25fb3109f5a24
SSDEEP

196608:Ji8YzGYYmk26SF2IeoJDAIZAxjV16l93At:5ywSk1k2R6vu

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4824	powershell.exe
4600	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe
312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2016	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
2984	protect_distribution(1).exe
4600	powershell.exe
4824	powershell.exe
4600	powershell.exe
4824	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2984	2016	protect_distribution(1).exe	83
PID 2016 wrote to memory of 2984	2016	protect_distribution(1).exe	83
PID 2984 wrote to memory of 4352	2984	protect_distribution(1).exe	86
PID 2984 wrote to memory of 4352	2984	protect_distribution(1).exe	86
PID 2984 wrote to memory of 3004	2984	protect_distribution(1).exe	88
PID 2984 wrote to memory of 3004	2984	protect_distribution(1).exe	88
PID 2984 wrote to memory of 2800	2984	protect_distribution(1).exe	90
PID 2984 wrote to memory of 2800	2984	protect_distribution(1).exe	90
PID 2984 wrote to memory of 312	2984	protect_distribution(1).exe	93
PID 2984 wrote to memory of 312	2984	protect_distribution(1).exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\protect_distribution(1).exe
"C:\Users\Admin\AppData\Local\Temp\protect_distribution(1).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\protect_distribution(1).exe
  "C:\Users\Admin\AppData\Local\Temp\protect_distribution(1).exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn ModifyRegistryTask1 /f
    3⤵
    PID:4352
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn ModifyRegistryTask2 /f
    3⤵
    PID:3004
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /tn ModifyRegistryTask1 /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\ModifyRegistry1.ps1" /sc once /st 05:04 /rl highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /tn ModifyRegistryTask2 /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\ModifyRegistry2.ps1" /sc once /st 05:04 /rl highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\ModifyRegistry1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\ModifyRegistry2.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ebccc033a2da1d0601a4b23a1c7444d

SHA1
7fda1e23d8b4956f9f07df6fe940438acd3e620e

SHA256
80d4a73c2140e73f8f9c7e03feee6cf20e100247759fae93356e5e918576db27

SHA512
02fe8a687a1329e53a39b9956fba6c5253d1b4861e5de5ae71fa0684a007342f8e5b80474e8b1721ef0f9044a65c7f6c9b541117ea5059f7dfb57335abda1b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_bz2.pyd

Filesize
82KB

MD5
ae8f1119691435dab497acf4f74e48a9

SHA1
3d66b25add927a8aab7acb5f10ce80f29db17428

SHA256
ac01e1aa3248a7e956b0999e62a426396bd703aaaae389166934928552c36ba8

SHA512
ece66874a204c1014b71482f0c34b64094f6a3a4385d9cc0e805d247b29d3d9dfe30f292879705e35a40214c9717b983cc8cb5b1af7d3000325042bb3cf17f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_ctypes.pyd

Filesize
121KB

MD5
b8a2aa0b18b076f3138d4b6af625b1a8

SHA1
965f046846293af33401c7c0d56dd1423698f08a

SHA256
ddd2e07bd447e46bf8682953e08a52ef3dec2a16b73016a210ac88196964623c

SHA512
0b75f59db170ab74ccb5d82187171000b5a607524449576ecfc8c708e3dfc501ddec5bcb82153f20e928d6c46a7109ebf59fc32d904fe1307a280ce6f1c6bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_hashlib.pyd

Filesize
44KB

MD5
87722ab32707069bea55e20319066020

SHA1
2e38b46e0c2c4f8b701728af82f658653f7ee62a

SHA256
e320235734d606b0a931ab5577ed3d73f276dbe4aeda1b643e11f2c68b1e25fc

SHA512
82261ef493e0eb45739ef2e99829373f960dce76ac35b1b9c92b65de943d4199200da86f9c12450122a12d8356479ab4c9765e33d70659585c1adb670c1272ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_lzma.pyd

Filesize
246KB

MD5
496778a3b05ad610daad34b752a5fcdf

SHA1
21ad508f2faab85f2304a8e0fdb687611459c653

SHA256
be5a20ea62c97abeaf1cb0c2522f4737d71701f7e1220d92470c0eeb8a99d427

SHA512
3bb10d09a61e84b4b2d19644899021cb8e91418693a11cdc0ca0aa1b861631e11101e9a9feb4ff6883f223294296f6c3634b12206b3ee6a37b37cb761078d122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_queue.pyd

Filesize
27KB

MD5
03c59e006425bcf5821302efacf3e536

SHA1
841de7c790b1bb5feabbf713318fd5dd2556dab1

SHA256
eb353ed6b1ca807153ff2c72f38f2cce028eb5684de29f681039bd148e7da6c0

SHA512
577f9929e9c70098380bd1dd4f7e7826d3630d680a28b9d576585ff7cc4d84edf9c0438e070a401295d5748239052f7e77b12a9b07af8cb5c5657db9e390de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_socket.pyd

Filesize
77KB

MD5
fca96fe528ff7c8a688da45a1667576f

SHA1
3346925f3c5ec51ef9ffbc57b9630663942bdbc4

SHA256
6fb731502320840ea36d2c8194c8de2371d275eb2c2fdffa1a5e62f5bcfc84ea

SHA512
cd3e1ea2590052bd8b0db8f230cddbcf248886acd18f17508fadd64701633646967395aa22c5891ace08b5149ac6dd0543f042ece3a5a6bb2315c4bcaca4d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\_ssl.pyd

Filesize
116KB

MD5
481a55afd4a25307321cb46f1b508dce

SHA1
fc988dcf53f6a91062d92cb4b37aaf2d4e8e1a6d

SHA256
24a752482838f62e30c7ad0d40a8a151184901c387ee34ac807f5aec56d04938

SHA512
b47076eb30835fe26918dd3a055f3e0822982030a6cc92c5bf588c7bd27928122b612364f7b79440539a360ed08e3d9adcb97f79637b445fa7b73cfefb171f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\base_library.zip

Filesize
822KB

MD5
c000c903aa76b27b7a7a86ad5bcaa2ce

SHA1
ab420d745a8bd280fcb7b4dfddfc9dcaf80f95bd

SHA256
bc21b75c443e4223635d5f51de0132855ec3b5f97f4399f7d5d35e1a01fef44b

SHA512
ce7effa96a62bb0d6483d0124ee5212e58268b19c06c59150ef905c8bf89285803846ba8f0c86e19b5bcee7c7c1cc0a618ed59b0b95acdad7b6ad38e3e00a474

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\python3.dll

Filesize
57KB

MD5
11a8500bc31356fae07dd604d6662efb

SHA1
4b260e5105131cdcae9313d1833cce0004c02858

SHA256
521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6

SHA512
15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\python38.dll

Filesize
4.0MB

MD5
147281c6864c61225284fc29dd189f37

SHA1
f9affa883855c85f339ac697e4f2942dd06a3a2e

SHA256
c5d4495bb879cc52a5076e1f366f330aa006d1e7e34c6b640a98378746244099

SHA512
ec5d36cda7689f6f9889ff0fdf2d946704c930a030d7254b901db78c4591a3f4fde0fe75a841ae91c2f0881edaf75b36d04e81e3d8605b81df4bc9195a09d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\select.pyd

Filesize
26KB

MD5
3bff7c4ca394c523c25de029461ce32a

SHA1
15e2e1bff65fdf400ef54358079bb25a29faedaa

SHA256
306b8d12b77a8d6b6d06c6120331584af14f8deb97d5aed799a4779413052bc1

SHA512
2ce6d85dd23882b8a0ed00e0d2f4cc70f1c2871172e5f4e39d3bcf68ad0f69a528b227f14e02fc28467bc232619cbbf4feead778818a926716604e86285e69a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\unicodedata.pyd

Filesize
1.0MB

MD5
670368fed0b550dcc0574801ebf4d2da

SHA1
fac31b9ba19b4bc0ad138935d6a268bc434dd47a

SHA256
6b3d8ea118eca733b95713616306b829a3eea80e1068c30f5408717bf81c715d

SHA512
f32d992bfd9f30df53b5be95b81d613a50517e3624906e9bb43b17ccccd5a5d88b435256310c2339dc1b811b19d61edcd4104f973e8d18c674510826b16bc334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\zstandard\backend_c.cp38-win_amd64.pyd

Filesize
508KB

MD5
53ccb9a9b8b05c82ee4b81876a64e290

SHA1
ea92c8fbc6d45e09c644c34169e527467e44ea30

SHA256
be8580a74db88e06d866e5644f365f7f90fa1e2017deeae90692910ee9e451a7

SHA512
4b858d71d99a3eeb8a0b64c062c80dadc16849a9c797025c6acc3ea4bd3ea670c88ce3beb3e45a6660b7d95acddcca1b0c8b6e30dcc4dea6da70f28ba7f1d0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqhgb50h.d2y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\ModifyRegistry1.ps1

Filesize
705B

MD5
a60a43a7084f6596277ffd41d477e262

SHA1
0e2f679259adeceb3d385de4cd715b354ee35b66

SHA256
c69972f85d11e4e275ba47ce9a17997088361378ceed14fbb3b6cbd696edb5b4

SHA512
8cfbbf0510c20470c35b057c4ed0e9d7c5baae0bc469593418702968f856edeabb7b1264f9e22ad555052cdfda4e687dc417e511edc13fc8a8e08b25089764ba

Download Submit
C:\Windows\Temp\ModifyRegistry2.ps1

Filesize
587B

MD5
e18a24345ad25a015e46fc425ad700ee

SHA1
e07531157b261c142a6d7e354720c7b4b008b70c

SHA256
fdf908894b388d97488a2ec0f7d5d4f36334fa8e21848db6c454e3896f40ac12

SHA512
6a5db8ad6a439a5e3956bbcb3f59ffd7f165f941643dd119876313106802ff012c636475b2a06e720d26462d2950c622aed230c51877fd4dea9a95faf9dcb569

Download Submit
C:\Windows\Temp\ModifyRegistryLog.txt

Filesize
99B

MD5
a9ce73fafc29280324594e42bb131af0

SHA1
9378713323b36747ef047e7cbad2f36c8110128d

SHA256
f6883a9ea695ba378bad58b476470d5c272b2dd28abb9506613b78cf0897f236

SHA512
ff48e1b562972c76b8e8fe6345e517fb868dccc23c3b4c190628f96a41201de464e1146138aa1533c63b02b50e35ce2ca34ce90f11594b4306179e8930c99d26

Download Submit
memory/2016-24-0x00007FF782BC0000-0x00007FF782BC1000-memory.dmp

Filesize
4KB

Download
memory/2016-0-0x0000015913B70000-0x0000015913B92000-memory.dmp

Filesize
136KB

Download
memory/2016-156-0x0000015913B70000-0x0000015913B92000-memory.dmp

Filesize
136KB

Download
memory/2016-157-0x0000015913C70000-0x0000015913CD8000-memory.dmp

Filesize
416KB

Download
memory/2016-155-0x00007FF689050000-0x00007FF689196000-memory.dmp

Filesize
1.3MB

Download
memory/2016-22-0x00007FF802B8D000-0x00007FF802B8E000-memory.dmp

Filesize
4KB

Download
memory/2016-107-0x00007FF689050000-0x00007FF689196000-memory.dmp

Filesize
1.3MB

Download
memory/2016-25-0x00007FF782BD0000-0x00007FF782BD1000-memory.dmp

Filesize
4KB

Download
memory/2016-23-0x00007FF782BB0000-0x00007FF782BB1000-memory.dmp

Filesize
4KB

Download
memory/2016-21-0x00007FF782BA0000-0x00007FF782BA1000-memory.dmp

Filesize
4KB

Download
memory/2016-10-0x0000015913C70000-0x0000015913CD8000-memory.dmp

Filesize
416KB

Download
memory/2016-19-0x0000015913B70000-0x0000015913B92000-memory.dmp

Filesize
136KB

Download
memory/2016-20-0x0000015913C70000-0x0000015913CD8000-memory.dmp

Filesize
416KB

Download
memory/2016-9-0x00007FF689050000-0x00007FF689196000-memory.dmp

Filesize
1.3MB

Download
memory/2016-105-0x0000015913C70000-0x0000015913CD8000-memory.dmp

Filesize
416KB

Download
memory/2984-58-0x00007FF802AF0000-0x00007FF802CE5000-memory.dmp

Filesize
2.0MB

Download
memory/2984-152-0x00007FF689050000-0x00007FF689196000-memory.dmp

Filesize
1.3MB

Download
memory/2984-106-0x00007FF802AF0000-0x00007FF802CE5000-memory.dmp

Filesize
2.0MB

Download
memory/2984-53-0x00007FF689050000-0x00007FF689196000-memory.dmp

Filesize
1.3MB

Download
memory/2984-44-0x0000028B72010000-0x0000028B72032000-memory.dmp

Filesize
136KB

Download
memory/2984-69-0x00007FF782BD0000-0x00007FF782BD1000-memory.dmp

Filesize
4KB

Download
memory/2984-68-0x00007FF782BC0000-0x00007FF782BC1000-memory.dmp

Filesize
4KB

Download
memory/2984-66-0x00007FF802AF0000-0x00007FF802CE5000-memory.dmp

Filesize
2.0MB

Download
memory/2984-67-0x00007FF782BB0000-0x00007FF782BB1000-memory.dmp

Filesize
4KB

Download
memory/2984-65-0x00007FF782BA0000-0x00007FF782BA1000-memory.dmp

Filesize
4KB

Download
memory/2984-108-0x00007FF689050000-0x00007FF689196000-memory.dmp

Filesize
1.3MB

Download
memory/2984-153-0x00007FF802AF0000-0x00007FF802CE5000-memory.dmp

Filesize
2.0MB

Download
memory/2984-64-0x00007FF802AF0000-0x00007FF802CE5000-memory.dmp

Filesize
2.0MB

Download
memory/2984-54-0x0000028B72110000-0x0000028B72178000-memory.dmp

Filesize
416KB

Download
memory/4824-124-0x000001FCF4DC0000-0x000001FCF4DE2000-memory.dmp

Filesize
136KB

Download