Analysis
-
max time kernel
115s -
max time network
389s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
05/09/2024, 10:32
General
-
Target
Super_God_Mode.ps1
-
Size
223KB
-
MD5
3a83854c0848a78b8f04b5266832318c
-
SHA1
80f27e77d3202d50a3773a07f5db756652ebfe03
-
SHA256
fc9401bcdc8d6e57300a64127a7e0262672c00f7563b85ec0a55dd22ab3fbd1c
-
SHA512
2b3e3f40dce22711f2c5711754bf83972864f34b4e8cf136f005dc125c82cfb77a8bacc71ac1f685b15e3cdaf060f1b54ee339dcc35095655906272d442058f4
-
SSDEEP
3072:p0ILKTB3eTLVDShJ89d7M+t2f7tW94fcMXF6UnTs3G1qZNPAAskrtZnd/:9SeTLVDShJYJ2fpi1l/
Malware Config
Signatures
-
Drops desktop.ini file(s) 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Super_God_Mode.ps11⤵
- Drops desktop.ini file(s)
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ou3vus02\ou3vus02.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9DE.tmp" "c:\Users\Admin\AppData\Local\Temp\ou3vus02\CSC1E100D42F4324DB48F93CB20B8169D16.TMP"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pvysyzn1\pvysyzn1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA4B.tmp" "c:\Users\Admin\AppData\Local\Temp\pvysyzn1\CSC119998D3DD9D42EFBF8A9CC3B443148C.TMP"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjf1v2wd\jjf1v2wd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAC8.tmp" "c:\Users\Admin\AppData\Local\Temp\jjf1v2wd\CSCF18F55594F442F698E538D128BAD563.TMP"3⤵
-
-
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{ED7BA470-8E54-465E-825C-99712043E01C}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5e322d3c7e1754ddd018872f57a06c321
SHA1e14924571895f52450a5771fd7345e4f3a1d4365
SHA256c941852be0e054e38b22aeb159c5a099a2fced8820b1a9eb7c9de122b03e8e40
SHA512d32fe6fe58c204b115fd1c487c3132b43d764bb1a12af7958c0b58ea8221dd0acbbe965d91678d8d057f87ded94e1077365af7c909d38e58b7e22608286e7f82
-
Filesize
62KB
MD592b5756967fe5d19ade2bcd27a007859
SHA114c79e384dbf750d4c774aa6cbdc7c0c411b8c5a
SHA25652f0ac09a645f0fb0f7241b98aeef977b3260c079d6c5678716dbee50b231a3a
SHA51205d13d94c50a24da063ac05056480989953637c37c2dc95c06c2a838f75335780cfb02a3fe521f528a0034aeb9fd7495ba4f32c8e1e590e79c33007cff976098
-
Filesize
1KB
MD5d27d1548862afb175efacf0fc0928881
SHA1f9918d471d03041f65f2290ceaa538771203be85
SHA256c75768d900f0070cd67ee95fce540735621a8225387c9fbe87b92145d95e3642
SHA5121f371c35b8b9116d0d54d4203517cb53e41bdeca0e792fdb213696a7643db9188b5b91b6bf5f5b805057383786d11d0431b9657c5c5e204d22becb7f45b2068b
-
Filesize
1KB
MD573bacf052354cec465e61c4adc80fa23
SHA1aa1360047049a93b2f1b1f0860d8d7214374af23
SHA256418c37fa5a0593d51a2d1844e6c4cd45f992c3c0f6bad0d8deaae6e0fdbae28e
SHA51290ec11a836212c47e71e704c652b5be26ceab56d244c60a2f270ac3c1beab548e20f2cf9172447b6bc2c29ce62cc7d952669759c286a89b8761300dde55c9b7e
-
Filesize
1KB
MD58a6daaac07682d46cfb77733b6e26284
SHA1ebf8798ab1f2568b83242c2c6ea9a8bf20827365
SHA256ce1dc3f4f4a682cc09e9c9787a5530c396bc76e278858d659ff93a511a9d6c66
SHA512ffe81c48a02ac39ca1b43edd5fac769588ef94552a4a5a7ea5924ea37bc0d9fc4b2db27307c2496d3e473233fa8fc82540075580c468d4b459bd2e68f4df3556
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD52791c9766aacc370f313e20ab3539a85
SHA1db00fd8b484db620050e92bf67d347b96c7843dc
SHA256e09c0c6a3c69099791436793832f19b784188cb0a23b36f909ed2c2ad82b29b3
SHA512692119bd6bd3e97809fc0c6b8363550e44c4efe715b3bbf1ffbf4742d7b5627d249f30f55cb1b7430e649cab14397cb8a13c53b24c534c900eb8db85b631fe24
-
Filesize
3KB
MD5f34e968b3142b9c1e0420eebc07d2625
SHA18a17c25af637b320661b4e45fb58fe1f25b737e5
SHA256df640b2e0cec0785d28a83668ffc72f6eff3cdbf665794618c889e3dfe489162
SHA5124cb83ffb293fa5c835658e154371e2f5558fbc1309355d8e6b98f4a3fbc21d7a1c185e737e302ed606db43f86cf1b5d748f903258ae314584281006b4e1e6ed4
-
Filesize
3KB
MD5ecd563d371cd0c99bae8b1e3e041ef3b
SHA1ab76ac0e983ed9f9ad20f9635137030154414776
SHA256ee5b9d7dd6c60a602bcdac573759ce4b062df1e3e9084f96b93761684487f583
SHA512d4792647290d10f63a3ee767e1641fadf6a370d703a49b95a03cfc94d9b3189965d516c514425fec4d9197e1f5e194b797ef26294615d8fbb3a24198a1fca0cd
-
Filesize
202B
MD5cbd53868f606365bd234bc4895a17e4d
SHA1f80c7194509e12c5141f49f7f77dd4e180ef8c7d
SHA256d83b35da3045eb6554c803f6495f32de7330e2573697968bd85949fca487ac69
SHA51241c18687c99fd7073ac20eb7fdc1e3186594ae91c56d0aa170d9e51852bc02c8debff326571cf0b9a81d837ebbf1c1ea4790718d110fb1853c638408b1895a70
-
Filesize
204B
MD555b916e7fa7774c65688bd0bdf70f9a9
SHA1ae86b4d811c71122f7adb124c77177d9bc165d84
SHA256c25083de49d828372075f4e5323c122286041a6968dfeafd311daad312717b4c
SHA512d8a4077063b6c19b94febb07f86cc3ea6137e88e687554cf597a246c4c26674ba0f3be311123d0019034d39c76e488c7896efef58e1adf367becef939570c7d7
-
Filesize
210B
MD5c68a3c683e75af92cf16f5c3193396c9
SHA1943523f25bf681dc25e30fade5e93b098840f975
SHA256325f72c9f236b9a002c75c78d276a2903869e7c6ba971e2d796e069a1b24e524
SHA51256c0a92c8c48206e02a7706c9a6fb085ec520573480c81ceee75659be7f64e2b2d9833290f8e6c45f99be392e5c0616354aa022fb74ae79bf5e36c8ea613e91e
-
Filesize
204B
MD50d0f38f49ea24b428fa08ae7106e4682
SHA13266fe8de3f2ba53be944ce2f68c1a97a872b04b
SHA2567b42a56fcea00bec5e35fb3c7a53ba863aafc601ae0c252d4ec7d0552bec4048
SHA5121ee4c144709aec7b249e4843142d06ffc6e4b9dabe49c65e601f52eb700d596b13ca6308c8b771d6fe55c81a4ee11efed8cf1a726e7feda1dc6ebcb6bf22b366
-
Filesize
1KB
MD53626a6dc88ee3c6985f3d3557182015e
SHA16925b487fc15048af5120dea7ad5d599f35a4df5
SHA256d975c6339dc7d64e5f6d163e6c511ffec92ebefcbeee4d4c2d1fb5008f6e2b98
SHA512a83f010f3fc468d8d8c0fc1d4434a4284fa3f3e8d64bf702b284e84839689dadf0826b3d4e9ae709dc08efedb89877b96259b484948870aa6be42bb9dbb35625
-
Filesize
1KB
MD5e902d4dfa2830f6ad8e150d3e4ccc4dc
SHA1b9d906c6189cc818f97c51926a7eeaf1e0caa8ec
SHA25605d17aba477a8fed028ffdd85a1fb5a32c7723bb4bc88bfcd85d01901272b131
SHA512452e4bc28b3702a6c86ca25006f7d9749d6a0ffd72442e641e48307de117ef732bb415de946efe264cf87de8d2c99aa24d9730c745211eea5814060177b123bb
-
Filesize
1KB
MD5d993ff81bf3f3be67a9e8aff4090fac2
SHA1ebdbdf930689fb558ef73f0420cac0ad83cf44d2
SHA25609435fdebe1399391c1be0da240d9d29127a38394120397bc6c73542630368b4
SHA51211b87c1db51616809e9c27a7acfe023b908f39fb1ecfab3c05b2f7a2c1277996d14e03cab3e92da288ccfcde6a421b0971158085bfa4763d01718fdc4deeaed3
-
Filesize
830B
MD55584b816233be80da21bd15cf571c746
SHA1e72a08516153f426a2fe7bd20df58ea774493f5c
SHA2562be55beb1f5ee5e09ec5a817a51e614059b6f40eb16fbae3d26ac34541e2ad52
SHA5125f5765335999bc5921d25a4c6a211fe6d8d7fe5995b7f2ca2b950725e02ec61b04e47accc468fd63ca6f16b3654f1310ca94dac40b7cf7bc0de6f9d9d442a2b0
-
Filesize
804B
MD5846cc9cf134cfe72f24f5e6e536dbab6
SHA1db00553d3e12c5b98554997df01a70d5f12da247
SHA256230734e14e520ecfb1b4bd9506aca7548567749b4af16387f94219db1716c1d9
SHA51233b64e550dc917bffda835d21b85ce5def46f16eff64c2810fe0ec4205e6e6747a3849e791778a112d2df44474a7c5fa55ea2eeac35262ebbed7d17f3a9dc327
-
Filesize
69B
MD5e3435cb945c26ea98d431ca192800be5
SHA12c4a0896e4ac6475ef59425b1b77175529f5ce44
SHA2566fac2e0a3f2387d1ad1f3b6d07bd6d3fc1335e34b1d68353e5a8eaddd8a19230
SHA512b1c7d91e5d9ea2d0cea52ff030138e907ff348fc0bd36743a95ab805e1da0fc68771cbfac4d3bd6e8609fc76c529b6a773085e7058959a9fbe119c49356a1bf4
-
Filesize
652B
MD565c98456a106a0b995842e9b0acf29ef
SHA17cca01f44739323ba09e084c16e1d71538f70a2c
SHA256c269a57d77f3b080455312a0bdcf439a649d70d7e6be6b68b552606300a04627
SHA512ac9cd84fab6a2db3d5ea117e4c25257f31259cfdeace463e32d02e56fabf3ab6ad88cc77f75b1d8500aed5271678d52ece200976cc2532775762147317ede489
-
Filesize
748B
MD5331b36a40cdece32c067a40d20408736
SHA144ac28aecdeeb5acf40ce7cb9c54517dd73e720f
SHA256c849d36962539251bac3655287b12bde59b9e59123757a7e3ccc18c6e7c788c2
SHA5126c2048f73b2e727f3cdd76db196eb8bfd7294f4d8ef33a8314926361f89842ce5dbdebcc13781c0b7ea540b4de3012eb83228808179daf0e9993e463ee9cd12e
-
Filesize
369B
MD5043f011e40456409b0ff0b838cb54ffc
SHA11d08dd293e720f475012e96f51d40806e874d3db
SHA2566737c510d482e817ede714f2605c7bf556d497750a0e1a893d0d86a4daad7221
SHA512cc3d77031c8dbfe22dc353b2f4b2eefe4b512a63edc3744ca8987abce60ed700090d98be24ecc33785769bfcb32a4395fc0a0a2def441c6c40d55164c7bcd7c0
-
Filesize
652B
MD5ee418c98d64d26586690f8fb42e3ef18
SHA18d27fe9a1471f24e284dfdcbe730f9e92131514e
SHA2569720d46ae14d5e4952c535050b0868ebd33728ae767aa796f99eac4608442bdd
SHA5120fffd81a809f44eee8e0ef062cef8d73316f4ef01689400dfbf4cadf76d661f3620a4eeee7578bac86cdccee3f00f72a358056508cfda43fd1efa8098a66850c
-
Filesize
1KB
MD5f62a3326583f8495f9bbc6e647a8fada
SHA159ab73b1870c5817cc7d714fff9f3c89f31f0476
SHA25683ae288bc06dd57f6bf9a7353a1ac2b7da308dc6a1a2847da4f4a437db6e5069
SHA5127b02674bf2ecf1976b0c522e4a4140fc0cb5bcd8cf7089c3d71364cda1678f071b7ba228792700dc21639383665740743a966d5d5a99d23d980925fa71b79684
-
Filesize
369B
MD52546d9e34c3d238718c5f21a96544b49
SHA1752b2804ec5c8f269887e4c17dc4e5cbc8fef649
SHA2562b36b92707851fa8c7b4eb819f30a3a4a3580debfb3478abcb820c69bfd9faaa
SHA5127aef9995dc0aba3ad5ab038568cc287037636ebebe161c7482e28df32b0283d2dbec07f4cd96d961ac73bbb08b3f937824c766f3f6b4dcfdfecd6829b25cc2e6
-
Filesize
652B
MD511d7f06f76f372817f4ece80dcc8909a
SHA19cade179c0dc1de50718d0889f0948547f43908b
SHA256867f5d56502bf9c194ff95cbbf37fc3cfe043be1c26b5eb5b91488d7e9b345cc
SHA512f062d8fad775f8e0a0a908423f9ae533650ff9156fc1aaefd2ef025ce08fe341a5727a773bb7f14de6932bfe5abcdb2e2a1654ee9cac3745d8a012d8f724b620
-
Filesize
359B
MD5b432d1d066ff07eebec2eea30c57a6cb
SHA1a6197d5ce01ebbaa5e7d64875eb3b6fb8f5cc168
SHA2566db4ffddb07ac610ad48049020b0a93a5ceae9f4005ac37f14df5753be743b14
SHA512e34878c3a5ec83f2ca3814ac3a272faba97897ab60baa939061c40916604db7e488d2748030f71e35e5c7cfa391989e4d04c413c870b9af1fec294a00f50a3dd
-
Filesize
369B
MD53e3bae59de19b4f32834362a9ffba3d1
SHA1fdfd99185e792f0d92fe0dfc33995d954b933e68
SHA2567a13959835c06094f31159a0366c0066099da319e24dd7202bf44a33b8823866
SHA51253f8c760ebfdcff43f091470b73cd08cb06c921054087d98a5a55f4f9c0ad400afc0674cd363efaf8cb66df253769eea8ac66e6999d9972ea8b803ead7471fae
-
Filesize
224KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
9.9MB
-
Filesize
472KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
136KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
1024KB