Overview
overview
10Static
static
10AnyDesk.exe
windows7-x64
1AnyDesk.exe
windows10-2004-x64
1Archevod_XWorm.exe
windows7-x64
10Archevod_XWorm.exe
windows10-2004-x64
10ClickMe.lnk
windows7-x64
8ClickMe.lnk
windows10-2004-x64
8Cmstp.bat
windows7-x64
10Cmstp.bat
windows10-2004-x64
10GoogleChrome.exe
windows7-x64
10GoogleChrome.exe
windows10-2004-x64
10Hidden_Und...on.ps1
windows7-x64
8Hidden_Und...on.ps1
windows10-2004-x64
8Hidden_magic.vbs
windows7-x64
3Hidden_magic.vbs
windows10-2004-x64
7Manage.bat
windows7-x64
1Manage.bat
windows10-2004-x64
1Night_uac/...in.ps1
windows7-x64
8Night_uac/...in.ps1
windows10-2004-x64
8Night_uac/...ge.ps1
windows7-x64
8Night_uac/...ge.ps1
windows10-2004-x64
8Night_uac/...gen.py
windows7-x64
3Night_uac/...gen.py
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/command.ps1
windows7-x64
3Night_uac/command.ps1
windows10-2004-x64
3Night_uac/down.ps1
windows7-x64
8Night_uac/down.ps1
windows10-2004-x64
8Night_uac/...gp.ps1
windows7-x64
3Night_uac/...gp.ps1
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Archevod_XWorm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Archevod_XWorm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ClickMe.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ClickMe.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Cmstp.bat
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Cmstp.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GoogleChrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
GoogleChrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Hidden_magic.vbs
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Hidden_magic.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Manage.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Manage.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Night_uac/Uac_main.ps1
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Night_uac/Uac_main.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Night_uac/Uac_stage.ps1
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Night_uac/Uac_stage.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Night_uac/Uac_stage_gen.py
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Night_uac/Uac_stage_gen.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Night_uac/amsi.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Night_uac/amsi.ps1
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Night_uac/command.ps1
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Night_uac/command.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Night_uac/down.ps1
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Night_uac/down.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win10v2004-20241007-en
General
-
Target
Night_uac/amsi.ps1
-
Size
1KB
-
MD5
ab586dd0a3d8dc473e8a12a5a4c6a484
-
SHA1
247455520a6b3706355e6afc4815fc0fbec331c4
-
SHA256
e4519785cbdda3fe7f85b3e0ef1bfd0bb857966dcc9fd7e62bd028b04a35cda3
-
SHA512
898dfc95b3016a8c8ec164ddff5b5b58aa3470802f5cc9265837dc1d4356de251fa256ff6dd130e39399ab24ebe903172dee214fc9b3e36be04d0ef654b9fb20
Malware Config
Signatures
-
pid Process 2300 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2300 powershell.exe 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2300 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2300 wrote to memory of 3436 2300 powershell.exe 85 PID 2300 wrote to memory of 3436 2300 powershell.exe 85 PID 3436 wrote to memory of 3248 3436 csc.exe 88 PID 3436 wrote to memory of 3248 3436 csc.exe 88 PID 2300 wrote to memory of 2736 2300 powershell.exe 90 PID 2300 wrote to memory of 2736 2300 powershell.exe 90
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1kgn4znx\1kgn4znx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AAA.tmp" "c:\Users\Admin\AppData\Local\Temp\1kgn4znx\CSCA24E535DA624FD6AB9E529C92B4EB7.TMP"3⤵PID:3248
-
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2300" "2164" "2116" "2168" "0" "0" "2172" "0" "0" "0" "0" "0"2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5774852929bd59975162f74217de4d7b9
SHA1b839bc8019257000677a7ea1654948f2a624f33e
SHA2568fc229c350f12732ee3e46898029b12c0a4c7ce4e759c5ab1d6be3b1836ce9f6
SHA512fb6b54e4e53cc05e67065b43dd7ce28ab32f01a5c8ad3071e03d5cfc51477ddef90bc29460b723b93a8fd0e4232a22e99b8c27e49e9a4d7952875f424b431a35
-
Filesize
1KB
MD5bb1e34500d9df0cc59452d5c5a4e00c0
SHA1fa0cbeceb66b538b1640d3bbca61a5b87c28df0a
SHA2562c5c944bd8f35b20a0a7ab222ee8d05498c0a42d2932e03e9bd0cf3fbd7bda11
SHA512931fb5f3f51e753ac72b0ab8ea2a173f6de4c6f804facfb8ebdcbc8868814c02f329e915c6dd38c2a5ef06725aaba1c220cb57645e378013bc2e700270f26e28
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
331B
MD5885120f66ed400cb844051f3b2509cb7
SHA11035be96b6ba5e7ed6b5250d097ce2356ef67eae
SHA256cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e
SHA512c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b
-
Filesize
369B
MD57819f0b71a42a9ad1c9eb38205ecec7d
SHA179d5b7aad9dca5fd1db46b2c81d53bd43088a534
SHA2560b0f4c7931edbd36b7b7bb9d9d486dfb6ed58ded3d755f821852d0de0939fb77
SHA512345eb41db9af4abf049c64afc51b6c52d4e533c6d117f839887ed2789d9dea2eb0c884f57e118bd6b7d7f6d7cf68a313ac356aa2e00b02451105feb2af8edad9
-
Filesize
652B
MD5132513abd7206a3d33e935d35ef1131e
SHA1031722eaaa930674a67b745bcd56cfaf47178a7d
SHA256aeb870c2a6de119f1e7e9ec900b5a373ebf960408095d5a344483c8e197dd5e8
SHA512383cf63c24dbddfaee7d748ef8f8ebca6f8839bd28a803257c688bb2d814fb2afa7406d0c19cc458883df120e7e56356f7386caf69ebf6a62ba89bd9daea0045