c04e5dc40f72419845165d9298c3c75524510a90e118eb5c8805aa92c9e67076

Analysis

max time kernel
28s
max time network
39s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30/09/2024, 18:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PrismifyrSetup.exe
Size

62.0MB
MD5

79440ee002e61da9363e7754c0fbc5ce
SHA1

7d917568ba89c6ea7cfd510bc16eafcc526aa02c
SHA256

c04e5dc40f72419845165d9298c3c75524510a90e118eb5c8805aa92c9e67076
SHA512

aba166805a8ebcfbbc8ca05fce577b052782629d5b7e44c493670fd647fc5d3cff23e84d77da93cdaf120a4b4935049611a4bbeb18a1a5f4d215b44528e75c59
SSDEEP

786432:fMguj8Q4VfvuqFTrYuKodJNWQwod0NWIVyJf/Wyt:fiAQIHukH/dJs+d0spJz

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4216	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1660	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4956	WMIC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4216	powershell.exe
4216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe
Token: 34	4632	WMIC.exe
Token: 35	4632	WMIC.exe
Token: 36	4632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3020	WMIC.exe
Token: SeSecurityPrivilege	3020	WMIC.exe
Token: SeTakeOwnershipPrivilege	3020	WMIC.exe
Token: SeLoadDriverPrivilege	3020	WMIC.exe
Token: SeSystemProfilePrivilege	3020	WMIC.exe
Token: SeSystemtimePrivilege	3020	WMIC.exe
Token: SeProfSingleProcessPrivilege	3020	WMIC.exe
Token: SeIncBasePriorityPrivilege	3020	WMIC.exe
Token: SeCreatePagefilePrivilege	3020	WMIC.exe
Token: SeBackupPrivilege	3020	WMIC.exe
Token: SeRestorePrivilege	3020	WMIC.exe
Token: SeShutdownPrivilege	3020	WMIC.exe
Token: SeDebugPrivilege	3020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3020	WMIC.exe
Token: SeRemoteShutdownPrivilege	3020	WMIC.exe
Token: SeUndockPrivilege	3020	WMIC.exe
Token: SeManageVolumePrivilege	3020	WMIC.exe
Token: 33	3020	WMIC.exe
Token: 34	3020	WMIC.exe
Token: 35	3020	WMIC.exe
Token: 36	3020	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1660	1908	PrismifyrSetup.exe	79
PID 1908 wrote to memory of 1660	1908	PrismifyrSetup.exe	79
PID 1660 wrote to memory of 4216	1660	cmd.exe	80
PID 1660 wrote to memory of 4216	1660	cmd.exe	80
PID 4216 wrote to memory of 4256	4216	powershell.exe	81
PID 4216 wrote to memory of 4256	4216	powershell.exe	81
PID 4256 wrote to memory of 4876	4256	csc.exe	82
PID 4256 wrote to memory of 4876	4256	csc.exe	82
PID 1908 wrote to memory of 4752	1908	PrismifyrSetup.exe	83
PID 1908 wrote to memory of 4752	1908	PrismifyrSetup.exe	83
PID 4752 wrote to memory of 3820	4752	cmd.exe	84
PID 4752 wrote to memory of 3820	4752	cmd.exe	84
PID 1908 wrote to memory of 1472	1908	PrismifyrSetup.exe	85
PID 1908 wrote to memory of 1472	1908	PrismifyrSetup.exe	85
PID 1472 wrote to memory of 4632	1472	cmd.exe	86
PID 1472 wrote to memory of 4632	1472	cmd.exe	86
PID 1908 wrote to memory of 2340	1908	PrismifyrSetup.exe	88
PID 1908 wrote to memory of 2340	1908	PrismifyrSetup.exe	88
PID 2340 wrote to memory of 3020	2340	cmd.exe	89
PID 2340 wrote to memory of 3020	2340	cmd.exe	89
PID 2340 wrote to memory of 1992	2340	cmd.exe	90
PID 2340 wrote to memory of 1992	2340	cmd.exe	90
PID 1908 wrote to memory of 1464	1908	PrismifyrSetup.exe	91
PID 1908 wrote to memory of 1464	1908	PrismifyrSetup.exe	91
PID 1464 wrote to memory of 4956	1464	cmd.exe	92
PID 1464 wrote to memory of 4956	1464	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\PrismifyrSetup.exe
"C:\Users\Admin\AppData\Local\Temp\PrismifyrSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\Epic Games\5qWvZ.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\Epic Games\5qWvZ.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aeiifeed\aeiifeed.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD72.tmp" "c:\Users\Admin\AppData\Local\Temp\aeiifeed\CSC965B07F261841EE8FB56D72C7EEE88.TMP"
        5⤵
        
        PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Epic Games\5qWvZ.ps1

Filesize
367B

MD5
85b08a656dd5e856766b6104136b6a96

SHA1
28ee817e2bd7fc9fb018ed59981e4bc1a3b15a95

SHA256
d3da2061327b09f1eba1b9d5db0c61db24b9f6b13bae96510bb791057067ab34

SHA512
79cfa7e12cf7087a9c452e8f730a926b932a466f4f8d3dbfda7454b764a2d06df48e0d8e0abbf87b8ec9640320ee37e396b6b74bb92719fad4afbd07deb8738e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD72.tmp

Filesize
1KB

MD5
d435a180770a1b0c2ab2bff8f2f3af26

SHA1
d75d94e0c6dbf062657265cb15df5507915535bc

SHA256
8b30739cb79c349315196d00113fafa0de21f286bc1e41f9a48280b10b167a76

SHA512
0b1752d05e50c00fdd21c1d40f9d02abfe7255eeadb768fddddcf25865ce687aa66e5e8a8032a27709695aedb9b7370b6b59efb1ff5303415d45f7d97e7218e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lfohbikf.dnm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeiifeed\aeiifeed.dll

Filesize
3KB

MD5
93fa3732dcb87e24c21dc180a8fe430c

SHA1
26234fd68d785c4a121849ecd5919174280b7c20

SHA256
8ab01d2bdc230af10ea4f15b652fdf79ffcae0e1557d62630fa1f0a8cc4b11f4

SHA512
bc426b6e14015d4624966af6716b74f22b7d8882e40ffad39086c051e6378f6d8e8788b22539d3a1f72e02cbd6912d5ee6016e5e908740644c7f54e279452a1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeiifeed\CSC965B07F261841EE8FB56D72C7EEE88.TMP

Filesize
652B

MD5
8b74bf1b406170c7e92abac7f6340b12

SHA1
192b18c9c5184fb457277bd68dd6d5927886cd0b

SHA256
4ed6ec044aaba6c7034cb6cafaec71840bf95a4741dbf5e98dd90638110e7722

SHA512
6e016c1b7a94f92889729b0c35bb5fe12d6fa4d4e890d0c4a97c80580841784a2d5610f4e5ebcfd3760877dc9f11e244316c6fe0e721dd477f35269b73627534

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeiifeed\aeiifeed.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeiifeed\aeiifeed.cmdline

Filesize
369B

MD5
39464da9e86e695fd38b69d97216b86a

SHA1
1f9dba11ec4c05654be6814bff5340053fa82d4b

SHA256
59fa18fed3fa55a44a50cc7f784ecc1dcaf427f3411022ae97bac9fde6fd540f

SHA512
5cdffbc48bdcd0f03608ad0b8b48cfb57c1fd7cbda8fa837f4e7efe738c9a24453dacf806c7511cebd1f1e28ff406206869d9bc5ed5c16a7e84b252ab13fa331

Download Submit
memory/4216-15-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/4216-2-0x00007FFF7B633000-0x00007FFF7B635000-memory.dmp

Filesize
8KB

Download
memory/4216-28-0x000001807A100000-0x000001807A108000-memory.dmp

Filesize
32KB

Download
memory/4216-14-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/4216-12-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/4216-11-0x000001807BFD0000-0x000001807BFF2000-memory.dmp

Filesize
136KB

Download
memory/4216-33-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download