Overview
overview
10Static
static
10AnyDesk.exe
windows7-x64
1AnyDesk.exe
windows10-2004-x64
1Archevod_XWorm.exe
windows7-x64
10Archevod_XWorm.exe
windows10-2004-x64
10ClickMe.lnk
windows7-x64
8ClickMe.lnk
windows10-2004-x64
8Cmstp.bat
windows7-x64
10Cmstp.bat
windows10-2004-x64
10GoogleChrome.exe
windows7-x64
10GoogleChrome.exe
windows10-2004-x64
10Hidden_Und...on.ps1
windows7-x64
8Hidden_Und...on.ps1
windows10-2004-x64
8Hidden_magic.vbs
windows7-x64
3Hidden_magic.vbs
windows10-2004-x64
7Manage.bat
windows7-x64
1Manage.bat
windows10-2004-x64
1Night_uac/...in.ps1
windows7-x64
8Night_uac/...in.ps1
windows10-2004-x64
8Night_uac/...ge.ps1
windows7-x64
8Night_uac/...ge.ps1
windows10-2004-x64
8Night_uac/...gen.py
windows7-x64
3Night_uac/...gen.py
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/command.ps1
windows7-x64
3Night_uac/command.ps1
windows10-2004-x64
3Night_uac/down.ps1
windows7-x64
8Night_uac/down.ps1
windows10-2004-x64
8Night_uac/...gp.ps1
windows7-x64
3Night_uac/...gp.ps1
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Archevod_XWorm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Archevod_XWorm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ClickMe.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ClickMe.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Cmstp.bat
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Cmstp.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GoogleChrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
GoogleChrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Hidden_magic.vbs
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Hidden_magic.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Manage.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Manage.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Night_uac/Uac_main.ps1
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Night_uac/Uac_main.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Night_uac/Uac_stage.ps1
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Night_uac/Uac_stage.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Night_uac/Uac_stage_gen.py
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Night_uac/Uac_stage_gen.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Night_uac/amsi.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Night_uac/amsi.ps1
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Night_uac/command.ps1
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Night_uac/command.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Night_uac/down.ps1
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Night_uac/down.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win10v2004-20241007-en
General
-
Target
Night_uac/amsi.ps1
-
Size
1KB
-
MD5
ce55b86a579ff526c25fdfeb398fa285
-
SHA1
134fb6ec72f0123f5111333ca6d4c4a9c125cf67
-
SHA256
dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d
-
SHA512
ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
wermgr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 4608 powershell.exe 4608 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 4608 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.execsc.exedescription pid Process procid_target PID 4608 wrote to memory of 3976 4608 powershell.exe 86 PID 4608 wrote to memory of 3976 4608 powershell.exe 86 PID 3976 wrote to memory of 3400 3976 csc.exe 88 PID 3976 wrote to memory of 3400 3976 csc.exe 88 PID 4608 wrote to memory of 4828 4608 powershell.exe 90 PID 4608 wrote to memory of 4828 4608 powershell.exe 90
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3dijakwu\3dijakwu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp" "c:\Users\Admin\AppData\Local\Temp\3dijakwu\CSCF850C0BE91D54B0291AA25A262B8BC5E.TMP"3⤵PID:3400
-
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4608" "2248" "2192" "2252" "0" "0" "2256" "0" "0" "0" "0" "0"2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD571df1d0c90c3ad75c84aa1000adc9fa3
SHA1318faf5bf597011063c615369a41afab4ef2c1bc
SHA2568c3900788b45c4589a4b219240e745ba3f73026859d299117c49b591088a5db3
SHA51244368b97dd7ffcda052b7bb9afb7dbcd190ab5f759f3a3af9eb3dc507678d208b33cec1aa55de7f232ff243b7fbde8dc013e80f1c6f467cd40cae579cea6fe3d
-
Filesize
1KB
MD582d020b9d6f0901deb30cc8e41724671
SHA1bd7dbc6ce56dd9173d910e2eb306c908b1fd72b8
SHA2566d6efd6b0e51748ef48ea38b134b9909c18de535a9a58517f5d1ffcdfe0c579f
SHA512020c3d762e01c4851bc6bd82a11a715fc86ace4dd8c2fab1cd1a49af66de4a693ea1df1111fb10a37593eb3c42b38cbe76ac9ad841e1864654015b7b27d65f98
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
331B
MD5885120f66ed400cb844051f3b2509cb7
SHA11035be96b6ba5e7ed6b5250d097ce2356ef67eae
SHA256cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e
SHA512c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b
-
Filesize
369B
MD562400ede862c00acdea7125900590c3b
SHA19aab4e43dd119a6d5da2a9cf069f3212b3ec2fd6
SHA2565b27669db26f593ade4082a085e1c236ddf54ca4ee0a982c59297bf2f409d5b8
SHA512cddc7d2553467366e6e5c04ba2adb88f45e0786dccfefa3603077dba15805811d074bf5acb1462a7bf339dcc61bc7adc7eb2f6f23b8cede5b14df2a86ae6cfb2
-
Filesize
652B
MD58cfbb272cbefd8e09d360671d1a8abbe
SHA101cd0f10acb959270ed9afaf5a8de1b8dc7170f9
SHA256aa48dee7c98352bf5f5a1c9b4d6508356526f36526b60082e5e5f5dec9098ee8
SHA512d2dee5987fd295b7384b48e63dc26aa84e95fee7c1113e3ba27cfb5185a1338ab141a2e3bcbab92d08ed80a1148c6997dca5a51184faa35eafdd3a6701a6da40