Overview

overview

9

Static

static

3

1d0000.MSBuild.exe

windows7-x64

1

1d0000.MSBuild.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    92s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d0000.MSBuild.exe

  • Size

    151KB

  • MD5

    41cf033d05ae0e2c5238a7932cf2dc77

  • SHA1

    df885092f397a0a70f26b98c5abb35253d2cb06c

  • SHA256

    f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b

  • SHA512

    eb1a3d4fe54c01c5ed6eb58208fed72aaf628aa6df60f5711f0e8e119a68517d7bc4112c5387858803072b144510fbd7c74f5e44853d3aefa5685979f755ef48

  • SSDEEP

    3072:FzFIwXIUVadV/NqI9tw5ojnsbkps3CUBB8owEKctGE:RXcV/55jnsbkps3CUBB81EK

Score
9/10
credential_accessexecutionspywarestealer

Malware Config

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0000.MSBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0000.MSBuild.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\C4T70DXYQS.exe'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vff0xchw.c3q.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\C4T70DXYQS.exe
    Filesize

    18KB

    MD5

    199b648b2ebe365467dd48ae11510de9

    SHA1

    0c0558feaa77f3880a94d1ee739f71594714050f

    SHA256

    193d9da0348d7a529dd47e31cf06c69de293a6f121c972a6f718cc4c36909478

    SHA512

    efe80083f180bcff74d972942d94b9dee6e70e603a2be0985cc1eebd9af4cbf32ff154c0f77f97a6112ea23e882515dec5bcb960ad3f3db4403969a7697b714c

    Download Submit

  • memory/1840-20-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1840-17-0x0000019D75540000-0x0000019D75562000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1840-18-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1840-19-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1840-24-0x0000019D75580000-0x0000019D7579C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1840-25-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4708-3-0x00007FFB47A63000-0x00007FFB47A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4708-2-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4708-7-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4708-0-0x00007FFB47A63000-0x00007FFB47A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4708-1-0x0000021F5B3D0000-0x0000021F5B3FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4708-27-0x00007FFB47A60000-0x00007FFB48521000-memory.dmp

    Filesize

    10.8MB

    Download