496b7707e779c1aa2d22954037f5df17a0e528f4f3e97f89cbf40c795c57e36c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProAI Installer.exe
Size

51.5MB
MD5

22d0e2d0845b6eddb9d894448f7e3ed3
SHA1

80e6c96edeb4c4677e0bee2cf659e0a81eaf2bc2
SHA256

496b7707e779c1aa2d22954037f5df17a0e528f4f3e97f89cbf40c795c57e36c
SHA512

73d5564fb6d8686a7068962a6743f927fa4f246d0d0fa4fe36418bee10a490151a62e32a9d75f3cf24bcf4d15c2fd5c5d4bc467730c915c21d63b160cc5bbc11
SSDEEP

1572864:HmrYamSMSqfgGXMMwTrqqp9rVeZjjuB7Npd3Xo:Gr1mv9fgYo3p9Z2KjX

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
40	2916	powershell.exe
42	2916	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	mshta.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	mshta.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3724	powershell.exe
2916	powershell.exe
5092	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2916	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
4768	ProAI Installer.exe
3724	powershell.exe
3724	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
5092	powershell.exe
5092	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	ProAI Installer.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	3724	powershell.exe
Token: SeSecurityPrivilege	3724	powershell.exe
Token: SeTakeOwnershipPrivilege	3724	powershell.exe
Token: SeLoadDriverPrivilege	3724	powershell.exe
Token: SeSystemProfilePrivilege	3724	powershell.exe
Token: SeSystemtimePrivilege	3724	powershell.exe
Token: SeProfSingleProcessPrivilege	3724	powershell.exe
Token: SeIncBasePriorityPrivilege	3724	powershell.exe
Token: SeCreatePagefilePrivilege	3724	powershell.exe
Token: SeBackupPrivilege	3724	powershell.exe
Token: SeRestorePrivilege	3724	powershell.exe
Token: SeShutdownPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeSystemEnvironmentPrivilege	3724	powershell.exe
Token: SeRemoteShutdownPrivilege	3724	powershell.exe
Token: SeUndockPrivilege	3724	powershell.exe
Token: SeManageVolumePrivilege	3724	powershell.exe
Token: 33	3724	powershell.exe
Token: 34	3724	powershell.exe
Token: 35	3724	powershell.exe
Token: 36	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	3724	powershell.exe
Token: SeSecurityPrivilege	3724	powershell.exe
Token: SeTakeOwnershipPrivilege	3724	powershell.exe
Token: SeLoadDriverPrivilege	3724	powershell.exe
Token: SeSystemProfilePrivilege	3724	powershell.exe
Token: SeSystemtimePrivilege	3724	powershell.exe
Token: SeProfSingleProcessPrivilege	3724	powershell.exe
Token: SeIncBasePriorityPrivilege	3724	powershell.exe
Token: SeCreatePagefilePrivilege	3724	powershell.exe
Token: SeBackupPrivilege	3724	powershell.exe
Token: SeRestorePrivilege	3724	powershell.exe
Token: SeShutdownPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeSystemEnvironmentPrivilege	3724	powershell.exe
Token: SeRemoteShutdownPrivilege	3724	powershell.exe
Token: SeUndockPrivilege	3724	powershell.exe
Token: SeManageVolumePrivilege	3724	powershell.exe
Token: 33	3724	powershell.exe
Token: 34	3724	powershell.exe
Token: 35	3724	powershell.exe
Token: 36	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	3724	powershell.exe
Token: SeSecurityPrivilege	3724	powershell.exe
Token: SeTakeOwnershipPrivilege	3724	powershell.exe
Token: SeLoadDriverPrivilege	3724	powershell.exe
Token: SeSystemProfilePrivilege	3724	powershell.exe
Token: SeSystemtimePrivilege	3724	powershell.exe
Token: SeProfSingleProcessPrivilege	3724	powershell.exe
Token: SeIncBasePriorityPrivilege	3724	powershell.exe
Token: SeCreatePagefilePrivilege	3724	powershell.exe
Token: SeBackupPrivilege	3724	powershell.exe
Token: SeRestorePrivilege	3724	powershell.exe
Token: SeShutdownPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeSystemEnvironmentPrivilege	3724	powershell.exe
Token: SeRemoteShutdownPrivilege	3724	powershell.exe
Token: SeUndockPrivilege	3724	powershell.exe
Token: SeManageVolumePrivilege	3724	powershell.exe
Token: 33	3724	powershell.exe
Token: 34	3724	powershell.exe
Token: 35	3724	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2916	powershell.exe
2916	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3724	4768	ProAI Installer.exe	92
PID 4768 wrote to memory of 3724	4768	ProAI Installer.exe	92
PID 5072 wrote to memory of 2916	5072	mshta.EXE	97
PID 5072 wrote to memory of 2916	5072	mshta.EXE	97
PID 4888 wrote to memory of 5092	4888	mshta.EXE	100
PID 4888 wrote to memory of 5092	4888	mshta.EXE	100

C:\Users\Admin\AppData\Local\Temp\ProAI Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ProAI Installer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -ep bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM1.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2904

C:\Windows\system32\mshta.EXE
C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM2.ps1 """""" ,0:close")
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM2.ps1 "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2916

C:\Windows\system32\mshta.EXE
C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM2.ps1 """""" ,0:close")
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM2.ps1 "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277b54411b7ff92f1351fc21d3326a4d

SHA1
241575641ca7c42068384bd50b815cb6977c18a6

SHA256
b145010ee963797b3b12374def8ece6d77675dfd962e1fbf92a52568ba9764e5

SHA512
4832ce669b13e25e96ef577de7f193e06cef8fe1e02e83039bd53a3b15d7c28e8c2d2a6aa959134fb28245d671d8c5f111b40890a91fe86d51e9a12d5db7fb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4yfiql5x.ftp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM1.ps1

Filesize
1KB

MD5
01ed2263914c8d6375e37174852a718f

SHA1
dad0e5510a3ddf9ff9c08bf089d050747117a8ac

SHA256
40cb252da42d0914b7b62a148997ea8f281b44c43f72dcf213645fa42b038376

SHA512
5bc6c125d6514582725572f8fa767f638bfa4c47895d4f7dba872d0a26bb99310f5c3ba8a86d8ae9d3da1bae3702b265f22de5e1ac58745a7321ba9527eea85c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM2.ps1

Filesize
634B

MD5
4fec6d9a032b760526432c746438105e

SHA1
0eabdd2d4c82adce9bc1565dee38bb4564f6d0f4

SHA256
a39067c44f1c5e7d99b015499341cd092cdfd0a47ba616051da37ec58763eed3

SHA512
0e539d33e4c8de55084df8d2fa06680750917ed3c6a9fb06999b90ff2b61063a5e7fc128482889168dbfd054175508d9a63aa0aeb176038ddf34a601105ea6a1

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\rqSPeXwM3.ps1

Filesize
4KB

MD5
30ac924b9d9532e5bab4f6d434624802

SHA1
a064d573506867a5719199d82914a447a6fbb511

SHA256
541519e760f71f8d736886052aab7aa1f2aba60619fb48468264cb710c73b55c

SHA512
de08694c8df92e4b193ef226c3517c0e22a31deedd21094fab7bcd96c1f5555ffcd38158a8660ef1da24f536ef4374a6f52894dc12fed82bb0a572926af4face

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\vwwFxEKCnAzJbpWbfRdR.txt

Filesize
7.1MB

MD5
0383686634333888b2d5bffcab6aabfb

SHA1
634674a08d70296f4a17d0ba4c67880b2d22c4ee

SHA256
1f71b584f8437071580fdcef6e5e2fa3bebed16829c3f65f7e7396b86b61f295

SHA512
f13a863dd7dadf7d10427b059d2577d62acde33d7c3e07004af016e4694a63d30ebefa8dd12a7cc570358d676cb70c567ab2e5233039e7a350f339a47bc802f2

Download Submit
memory/2916-47-0x00000218189D0000-0x0000021819008000-memory.dmp

Filesize
6.2MB

Download
memory/3724-15-0x000002D9EB950000-0x000002D9EB972000-memory.dmp

Filesize
136KB

Download
memory/3724-18-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/3724-17-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/3724-25-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/3724-16-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/4768-19-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/4768-27-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/4768-2-0x00007FFDB74A0000-0x00007FFDB7F61000-memory.dmp

Filesize
10.8MB

Download
memory/4768-1-0x0000023A63DC0000-0x0000023A6713E000-memory.dmp

Filesize
51.5MB

Download
memory/4768-3-0x0000023A6D010000-0x0000023A6D538000-memory.dmp

Filesize
5.2MB

Download
memory/4768-0-0x00007FFDB74A3000-0x00007FFDB74A5000-memory.dmp

Filesize
8KB

Download
memory/4768-5-0x00007FFDB74A3000-0x00007FFDB74A5000-memory.dmp

Filesize
8KB

Download