0217aa1aa81a6e492b9b210fc349e8e71b1e0f4ac75289a271bd75111018924a

Analysis

max time kernel
114s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ULTIMATE KASU/ Install DEBLOATED GPU drivers/NVCleanstall_1.16.0.exe
Size

3.8MB
MD5

41421866b825dbdcc5f29a0bbd484362
SHA1

f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256

efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512

72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d
SSDEEP

49152:5FEVBwhGaOQ52kLkEfg3fBDW4mJVUEtc3W4TDyJw7so4c7ckyRKPk9gZPeR0XjBO:5aPJaOQ5UB6Bxu9TDyJw4cXyIuaWR0rs

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3256	NVCleanstall_1.16.0.exe
Token: SeCreatePagefilePrivilege	3256	NVCleanstall_1.16.0.exe
Token: SeDebugPrivilege	3256	NVCleanstall_1.16.0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ULTIMATE KASU\ Install DEBLOATED GPU drivers\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\ULTIMATE KASU\ Install DEBLOATED GPU drivers\NVCleanstall_1.16.0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3256-0-0x00007FFCB8F23000-0x00007FFCB8F25000-memory.dmp

Filesize
8KB

Download
memory/3256-1-0x000001775F840000-0x000001775FC04000-memory.dmp

Filesize
3.8MB

Download
memory/3256-2-0x000001777A420000-0x000001777A9E0000-memory.dmp

Filesize
5.8MB

Download
memory/3256-3-0x000001775FFE0000-0x0000017760002000-memory.dmp

Filesize
136KB

Download
memory/3256-4-0x000001777AEB0000-0x000001777B37C000-memory.dmp

Filesize
4.8MB

Download
memory/3256-5-0x000001775FFB0000-0x000001775FFB6000-memory.dmp

Filesize
24KB

Download
memory/3256-6-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-7-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-8-0x0000017761A30000-0x0000017761A38000-memory.dmp

Filesize
32KB

Download
memory/3256-9-0x000001777ADE0000-0x000001777AE18000-memory.dmp

Filesize
224KB

Download
memory/3256-10-0x000001777A3A0000-0x000001777A3AE000-memory.dmp

Filesize
56KB

Download
memory/3256-11-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-12-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-13-0x00007FFCB8F23000-0x00007FFCB8F25000-memory.dmp

Filesize
8KB

Download
memory/3256-14-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-15-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-16-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-17-0x00007FFCB8F20000-0x00007FFCB99E1000-memory.dmp

Filesize
10.8MB

Download