Overview
overview
10Static
static
10AnyDesk.exe
windows7-x64
1AnyDesk.exe
windows10-2004-x64
1Archevod_XWorm.exe
windows7-x64
10Archevod_XWorm.exe
windows10-2004-x64
10ClickMe.lnk
windows7-x64
8ClickMe.lnk
windows10-2004-x64
8Cmstp.bat
windows7-x64
10Cmstp.bat
windows10-2004-x64
10GoogleChrome.exe
windows7-x64
10GoogleChrome.exe
windows10-2004-x64
10Hidden_Und...on.ps1
windows7-x64
8Hidden_Und...on.ps1
windows10-2004-x64
8Hidden_magic.vbs
windows7-x64
3Hidden_magic.vbs
windows10-2004-x64
7Manage.bat
windows7-x64
1Manage.bat
windows10-2004-x64
1Night_uac/...in.ps1
windows7-x64
8Night_uac/...in.ps1
windows10-2004-x64
8Night_uac/...ge.ps1
windows7-x64
8Night_uac/...ge.ps1
windows10-2004-x64
8Night_uac/...gen.py
windows7-x64
3Night_uac/...gen.py
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/command.ps1
windows7-x64
3Night_uac/command.ps1
windows10-2004-x64
3Night_uac/down.ps1
windows7-x64
8Night_uac/down.ps1
windows10-2004-x64
8Night_uac/...gp.ps1
windows7-x64
3Night_uac/...gp.ps1
windows10-2004-x64
3Analysis
-
max time kernel
14s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Archevod_XWorm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Archevod_XWorm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ClickMe.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ClickMe.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Cmstp.bat
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Cmstp.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GoogleChrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
GoogleChrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Hidden_magic.vbs
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Hidden_magic.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Manage.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Manage.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Night_uac/Uac_main.ps1
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Night_uac/Uac_main.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Night_uac/Uac_stage.ps1
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Night_uac/Uac_stage.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Night_uac/Uac_stage_gen.py
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Night_uac/Uac_stage_gen.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Night_uac/amsi.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Night_uac/amsi.ps1
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Night_uac/command.ps1
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Night_uac/command.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Night_uac/down.ps1
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Night_uac/down.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win10v2004-20241007-en
General
-
Target
Night_uac/amsi.ps1
-
Size
1KB
-
MD5
ce55b86a579ff526c25fdfeb398fa285
-
SHA1
134fb6ec72f0123f5111333ca6d4c4a9c125cf67
-
SHA256
dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d
-
SHA512
ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f
Malware Config
Signatures
-
pid Process 1956 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1956 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2760 1956 powershell.exe 30 PID 1956 wrote to memory of 2760 1956 powershell.exe 30 PID 1956 wrote to memory of 2760 1956 powershell.exe 30 PID 2760 wrote to memory of 2912 2760 csc.exe 31 PID 2760 wrote to memory of 2912 2760 csc.exe 31 PID 2760 wrote to memory of 2912 2760 csc.exe 31 PID 1956 wrote to memory of 2764 1956 powershell.exe 32 PID 1956 wrote to memory of 2764 1956 powershell.exe 32 PID 1956 wrote to memory of 2764 1956 powershell.exe 32
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ved8ly5c.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E1A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E19.tmp"3⤵PID:2912
-
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1956" "1152"2⤵PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD581e1e61b0fe34fddc4065158a47a0549
SHA140aa0dff66d2344cb32935afff609d23739e3dc9
SHA25623a93eb6aa257f66280e98d1c3e559179658b4ce5d6bb429b99be78005d61b20
SHA5125f8adb4dec7e7f3272fc9c52ecc23407ea3c41c9b99f4fc818ad9cacba9b571505a4780d63d98193dd4f1757f2339961416137be7727c5e046418439d5741da8
-
Filesize
1KB
MD54f8ff0fef7bcbe6dcb3ad83c2bb27301
SHA1936b1b98ea59208e55959a9aad46e09704c93123
SHA2560558d071430b0e2d5b41f72075abb6c06c204fce45d3dfa3dfa11301ffaba745
SHA512034477bcb4f3a39893b058378160e4047675f168f0759f13464ee4f30d7dd72a706073daa62d34c919b9fabceb72cb19adcf40253ce9b467e62cf4fa3a7ac2e1
-
Filesize
3KB
MD54d279f1c0351b35e5515ca5d4153cd35
SHA1150002c9fb4dc253797038ceb5c05c7a09a70e54
SHA25631f3397fc45bbabf4d75a006c79331138c026ed1e761071d865104173eb3644d
SHA5121cee4b1af5d7c701f14e63196a6f0d7034405166f314b92a856138291978174c91935baeb285d0216f40c6277e5cdceced9f0af9044641594847b3aebc70d37d
-
Filesize
7KB
MD5e629529d4756eb3bb885e2fd3d9bc8e3
SHA1b4ade120cc55d8ddace40172becc4423ff4f8b8a
SHA256f07c3241516c05fd938c514b63c9a43f33cd69b2ec06988756bb74c63d7d79e5
SHA5129a4937a28faebd154d5250d7a5c34cefff597da4ed47fcd2980371a8d563a2737e6046c43243dd3b3678a4ffa08470663bff0b06fb291eb66913a9b34b769f8a
-
Filesize
652B
MD5bd37116a98a73275096bc1c6d05fb63e
SHA1afe30256f4abec8b32a04b81e054c44d9c5a4483
SHA256e1cc51bc3b03e1735039518c256cf921a023fd030b489f75641ccf2eccd39f32
SHA512a7a12d49f6132c29ad8bf03e25bfb0ccacd2c82bfa45a8901af7dbfe223a03209beac34c5f6f17ff7db4fb68e3583b6ebf2ec3df3fcb4a2991573cb7e74118f3
-
Filesize
331B
MD5885120f66ed400cb844051f3b2509cb7
SHA11035be96b6ba5e7ed6b5250d097ce2356ef67eae
SHA256cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e
SHA512c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b
-
Filesize
309B
MD5bbe74f7ff6b2a8d1b89aa8af1453cbb8
SHA184bbf68ec18f4c173a8b395e57e0f0ecd61cd735
SHA256db994cba92ba5c407c90462c84561971b3a6b193d0404a8d6861d4a192b0b20d
SHA51292b561538019b98592b8844cfc187e2616cab81053d39f2dc20c0d1e057829cff3b305b38f191a6c2e1a0e3ffb31726cd58f6bf79c0c81276a38e4f7c9aaa7e2