f45bcf726922fe01b71eb17cdaea8fcea57bdeefced3054e118732a41805f15f

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tox tweaking/niggers/PowerRun.exe
Size

775KB
MD5

71c7975385f73ae32b06f69dbe79290b
SHA1

05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256

c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512

1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
SSDEEP

12288:XaWzgMg7v3qnCi9ErQohh0F4fCJ8lnyQQdbpSulVAbWjuixwhQaB/Q:qaHMv6CRrj3nyQQdpSulmWjxwhQaG

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3056	PowerRun.exe
3056	PowerRun.exe
3392	PowerRun.exe
3392	PowerRun.exe
3392	PowerRun.exe
3392	PowerRun.exe
2560	PowerRun.exe
2560	PowerRun.exe
2560	PowerRun.exe
2560	PowerRun.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3056	PowerRun.exe
1432	PowerRun.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3392	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3392	PowerRun.exe
Token: 0	3392	PowerRun.exe
Token: SeDebugPrivilege	2560	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2560	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2560	PowerRun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3392	3056	PowerRun.exe	80
PID 3056 wrote to memory of 3392	3056	PowerRun.exe	80
PID 3056 wrote to memory of 3392	3056	PowerRun.exe	80

C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
  "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe" /P:590310
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
    "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe" /P:590310
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
      "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe" /TI/ /P:590310
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tnspqdu

Filesize
83KB

MD5
0b1607979373b4ed50c6d0b89eb157ab

SHA1
7c2f77f58d5cfbbddd572cef7e23d537567a7942

SHA256
1c80f750068ed4ca51348b189016113559a740215c4ff6593156fd5225272690

SHA512
3f6641421e8902432da2bedde2c870b3ed02a9f1e0ecbef78d66c968712817cdce37b6f4b74d666bb061933842e8ad62c5491ba44a38b3052296c74004dd9c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.ini

Filesize
3KB

MD5
48369a4319816579ca01c957f4ba70cc

SHA1
f93e76bc3ae9083c37ba34cf9e866b229dce34f3

SHA256
bd838b6574bd31c7cb218be76a30cb9b0e049f32eaccd61e399c12ff07a12b49

SHA512
04ea2a4d46a63e069e3ee9485caf840c59c135553134e6f984c22ee122ba7c89f625ef6662f4e03c59dd4bf02d0f9e3613785b9247aa99642b8324efdccec3f4

Download Submit
C:\Windows\Temp\autCCC6.tmp

Filesize
25KB

MD5
1ae3520c92409d09b2596b55abcd1429

SHA1
89dcc61c00aa4244e166653dc31092350d868a66

SHA256
e0fe5cc20fc6257d8373a36cb2c87f4bd6ec9a97961ed0f795e48958e477fe78

SHA512
c8626cfd2b6ac659af8e627f08e32051e39ed06875ffb71acca6014ac104ac60c1b0de1cf397fa16146734eb3e5cfce4ae3b75843742ec89577330d6235d0845

Download Submit