f45bcf726922fe01b71eb17cdaea8fcea57bdeefced3054e118732a41805f15f

Analysis

max time kernel
109s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-11-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tox tweaking/niggers/PowerRun.exe
Size

775KB
MD5

71c7975385f73ae32b06f69dbe79290b
SHA1

05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256

c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512

1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
SSDEEP

12288:XaWzgMg7v3qnCi9ErQohh0F4fCJ8lnyQQdbpSulVAbWjuixwhQaB/Q:qaHMv6CRrj3nyQQdpSulmWjxwhQaG

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRun.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2964	PowerRun.exe
2964	PowerRun.exe
2028	PowerRun.exe
2028	PowerRun.exe
2028	PowerRun.exe
2028	PowerRun.exe
1236	PowerRun.exe
1236	PowerRun.exe
1236	PowerRun.exe
1236	PowerRun.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2964	PowerRun.exe
4980	PowerRun.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2028	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2028	PowerRun.exe
Token: 0	2028	PowerRun.exe
Token: SeDebugPrivilege	1236	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	1236	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	1236	PowerRun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2028	2964	PowerRun.exe	82
PID 2964 wrote to memory of 2028	2964	PowerRun.exe	82
PID 2964 wrote to memory of 2028	2964	PowerRun.exe	82

C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
  "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe" /P:524774
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
    "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe" /P:524774
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe
      "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.exe" /TI/ /P:524774
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qfojpdt

Filesize
83KB

MD5
0b1607979373b4ed50c6d0b89eb157ab

SHA1
7c2f77f58d5cfbbddd572cef7e23d537567a7942

SHA256
1c80f750068ed4ca51348b189016113559a740215c4ff6593156fd5225272690

SHA512
3f6641421e8902432da2bedde2c870b3ed02a9f1e0ecbef78d66c968712817cdce37b6f4b74d666bb061933842e8ad62c5491ba44a38b3052296c74004dd9c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\PowerRun.ini

Filesize
3KB

MD5
24b36f3b0be5083755872cb69614a776

SHA1
1151ff16fb644dc6f2e68e125e66ca75a339a4ce

SHA256
c4f05b0c9db08daf753490063e2d9806460869ef78747da16f539747588ac210

SHA512
0afcbca9c9f6392c880f21c010dc4ed8eec520701df494f4428e15984d7b95ca2bae796b4ceb21125b711c77b4cb6d3b0f77d77e59ffa587e6b0e114ca5dac53

Download Submit
C:\Windows\Temp\aut8760.tmp

Filesize
25KB

MD5
1ae3520c92409d09b2596b55abcd1429

SHA1
89dcc61c00aa4244e166653dc31092350d868a66

SHA256
e0fe5cc20fc6257d8373a36cb2c87f4bd6ec9a97961ed0f795e48958e477fe78

SHA512
c8626cfd2b6ac659af8e627f08e32051e39ed06875ffb71acca6014ac104ac60c1b0de1cf397fa16146734eb3e5cfce4ae3b75843742ec89577330d6235d0845

Download Submit