221c04745766b7dd65ff78d3590b2476f8de00c5fe17c1eb7d3aff34a9033df9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProEditAI.ex#.exe
Size

2.0MB
MD5

78e6fe030031e0b319121f4af546c743
SHA1

f4a824edb08af666f6e3c7ebc29a2b64b96ba75e
SHA256

221c04745766b7dd65ff78d3590b2476f8de00c5fe17c1eb7d3aff34a9033df9
SHA512

f21d9f4d5c205b8a988b93cb6fbd6190bd7cba3934b0ff07c9ce1e67fb439dd017d87a73c0684353d63990b34cba2637d81d0418429088990b4bc8bb31cadfae
SSDEEP

49152:zVAbwcf0qplQ9rQ7JC+zQlQTLw9Lqb4tBr9mPrIdq1AT2U:ZAa+lQp85Q59mb47r9mDLm2

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3572	powershell.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3516	ProEditAI.ex#.exe
3572	powershell.exe
3572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	ProEditAI.ex#.exe
Token: SeDebugPrivilege	3572	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3572	3516	ProEditAI.ex#.exe	92
PID 3516 wrote to memory of 3572	3516	ProEditAI.ex#.exe	92

C:\Users\Admin\AppData\Local\Temp\ProEditAI.ex#.exe
"C:\Users\Admin\AppData\Local\Temp\ProEditAI.ex#.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -ep bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\TTMwrUpY1.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpfxofoy.cau.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\TTMwrUpY1.ps1

Filesize
634B

MD5
ca023b0ddb87b366402e4f23a6ec132d

SHA1
2031244c3adeadb0ad67ea3dfe747444d09c0ee6

SHA256
d6a0a3b6fb33ae181c850e8c9130f1aaefab3be3b0ae4d6a63d7c58e30f1b8f1

SHA512
5d921127ab6e7fa3fcc7fe1484a69be7670dda86cfca7f388051533f3f446699f82c8069018eac1c2cdb652c97128adb902fada8f730979ce30026fbf8fed4f0

Download Submit
memory/3516-3-0x000001F67A800000-0x000001F67AD28000-memory.dmp

Filesize
5.2MB

Download
memory/3516-0-0x00007FFFFF523000-0x00007FFFFF525000-memory.dmp

Filesize
8KB

Download
memory/3516-2-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-16-0x00007FFFFF523000-0x00007FFFFF525000-memory.dmp

Filesize
8KB

Download
memory/3516-1-0x000001F6746F0000-0x000001F6748F6000-memory.dmp

Filesize
2.0MB

Download
memory/3516-21-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-26-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-5-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-15-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-18-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3572-17-0x0000023A44A60000-0x0000023A44A82000-memory.dmp

Filesize
136KB

Download
memory/3572-24-0x00007FFFFF520000-0x00007FFFFFFE1000-memory.dmp

Filesize
10.8MB

Download