Overview
overview
10Static
static
10AnyDesk.exe
windows7-x64
1AnyDesk.exe
windows10-2004-x64
1Archevod_XWorm.exe
windows7-x64
10Archevod_XWorm.exe
windows10-2004-x64
10ClickMe.lnk
windows7-x64
8ClickMe.lnk
windows10-2004-x64
8Cmstp.bat
windows7-x64
10Cmstp.bat
windows10-2004-x64
10GoogleChrome.exe
windows7-x64
10GoogleChrome.exe
windows10-2004-x64
10Hidden_Und...on.ps1
windows7-x64
8Hidden_Und...on.ps1
windows10-2004-x64
8Hidden_magic.vbs
windows7-x64
3Hidden_magic.vbs
windows10-2004-x64
7Manage.bat
windows7-x64
1Manage.bat
windows10-2004-x64
1Night_uac/...in.ps1
windows7-x64
8Night_uac/...in.ps1
windows10-2004-x64
8Night_uac/...ge.ps1
windows7-x64
8Night_uac/...ge.ps1
windows10-2004-x64
8Night_uac/...gen.py
windows7-x64
3Night_uac/...gen.py
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/command.ps1
windows7-x64
3Night_uac/command.ps1
windows10-2004-x64
3Night_uac/down.ps1
windows7-x64
8Night_uac/down.ps1
windows10-2004-x64
8Night_uac/...gp.ps1
windows7-x64
3Night_uac/...gp.ps1
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Archevod_XWorm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Archevod_XWorm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ClickMe.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ClickMe.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Cmstp.bat
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Cmstp.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GoogleChrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
GoogleChrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Hidden_magic.vbs
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Hidden_magic.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Manage.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Manage.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Night_uac/Uac_main.ps1
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Night_uac/Uac_main.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Night_uac/Uac_stage.ps1
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Night_uac/Uac_stage.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Night_uac/Uac_stage_gen.py
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Night_uac/Uac_stage_gen.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Night_uac/amsi.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Night_uac/amsi.ps1
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Night_uac/command.ps1
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Night_uac/command.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Night_uac/down.ps1
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Night_uac/down.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win10v2004-20241007-en
General
-
Target
Hidden_Undected_CMSTP-Reflection.ps1
-
Size
13KB
-
MD5
39d26ba464405a52eec059c38fde3742
-
SHA1
b8e15337cbdfe46d6c712bf45a381b5a97d30db1
-
SHA256
5812fe6944f400d00f4ab4b4189779c3caddc419c3346842e30c07d238f4d186
-
SHA512
7fb159fbedc68cd0a353534b30cca7f0f6a95f327c69d2a4cc1b7d4c4b591ea893451b18f188d5739873a64c64bd314546a20bb272d76931cee1937a6104e337
-
SSDEEP
384:lc2055WPIbP1ermV2qvkXLuwYiou2tc428QuB:lc2eWgP1UIEuwhom4tQW
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 4564 powershell.exe 4996 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 3256 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 3256 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4564 powershell.exe 4564 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4564 wrote to memory of 4792 4564 powershell.exe 87 PID 4564 wrote to memory of 4792 4564 powershell.exe 87
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Hidden_Undected_CMSTP-Reflection.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\windows\temp\dd5zlj1e.inf2⤵PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -ExecutionPolicy Bypass C:\Users\Admin\Music\la0bvbcx.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54b6a25c71368c32af07089d65cb075f5
SHA1489f98f82b860b96b375af8b236d2a390c6e2fd4
SHA2568d0896f043e62ea4952833cb20d23fc5f39f2a004bada23c71fc41af8b37a6e2
SHA51224f6478e8bc175d10bd849356a35b421daf718839c344ce1a14ac0324d4c90162df618f690de61d992a92fc4c9b8cf8bb46eddb8560da5a126ad0904456ef4c9
-
Filesize
1KB
MD54d1969fa5f066db3e8ea5693cc9a1718
SHA13f630883efe81b6f1d3cf1fec526237fe4202334
SHA2560069835519f12f37ead8f308e96d8c90ea09e081a94a941c1f8921fe6e1834ce
SHA5124f74412265a1b11826f18e58bfc6b59c006914dd2acb74045dffca775cb1fb620605233f5c5fc7b03fe50433e99dba4e4bd1b4afc012cfc8f0214d1dedcfb88d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
44B
MD5bac6401de6dde08d74975b36142db4c4
SHA1afff11fb0f67ca72196f87950d031ccb3ea8d1bd
SHA256a969390600da053cca1c6a79cfcca555ac38c0af847e7a20c2ee2b24e02a9913
SHA5122caed8e12850571cad5771d666fb58f95d6885da5fb2f5eaa151855cbabe8c031ba32f7a2edeee078c23214e9b4bd6fc87b36c2237ee6c282cf62b64f899cc9f
-
Filesize
656B
MD548a010a93ed81a7ace901862f9d8980f
SHA16aa9f24b072c83cc4e44e753dad5e51574348dfd
SHA2568cd6f50d49b4f3e5019de0b6c5467701469cbfd39056e2e1b69ad9d463c57dca
SHA5126bcf27ef6e901ecac38344309fe0430caea70e1bdf194f48adf6850a0a7a0d9c54e6944d163ab7c2537493f6873912d33d81718331e29856c986566eec672c50