4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/ctt.bat
Size

206B
MD5

7572c139fbfdb2a7c376581a6048b3dc
SHA1

6d58696ac2de4ef789dc153e8a6100c74967fca6
SHA256

0dd4a0a9e1521cb80ee601112d194ddb8a620f0bb86dee3bb8337174c48c27fa
SHA512

bcb42aff70d65b53da7c4701614ddabaff5d4942b755de746843cfc207ba32a425f4e1ce24ab168bd4cdf516e16cdc95987d9c3350aeb12b5d7c11d9d8dc7928

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow	pid	Process
6	2024	powershell.exe
8	2024	powershell.exe
15	2024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2024	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	powershell.exe
Token: SeSecurityPrivilege	2024	powershell.exe
Token: SeTakeOwnershipPrivilege	2024	powershell.exe
Token: SeLoadDriverPrivilege	2024	powershell.exe
Token: SeSystemProfilePrivilege	2024	powershell.exe
Token: SeSystemtimePrivilege	2024	powershell.exe
Token: SeProfSingleProcessPrivilege	2024	powershell.exe
Token: SeIncBasePriorityPrivilege	2024	powershell.exe
Token: SeCreatePagefilePrivilege	2024	powershell.exe
Token: SeBackupPrivilege	2024	powershell.exe
Token: SeRestorePrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeSystemEnvironmentPrivilege	2024	powershell.exe
Token: SeRemoteShutdownPrivilege	2024	powershell.exe
Token: SeUndockPrivilege	2024	powershell.exe
Token: SeManageVolumePrivilege	2024	powershell.exe
Token: 33	2024	powershell.exe
Token: 34	2024	powershell.exe
Token: 35	2024	powershell.exe
Token: 36	2024	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

powershell.exe

pid	Process
2024	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 1636 wrote to memory of 1160	1636	cmd.exe	84
PID 1636 wrote to memory of 1160	1636	cmd.exe	84
PID 1636 wrote to memory of 2024	1636	cmd.exe	85
PID 1636 wrote to memory of 2024	1636	cmd.exe	85
PID 2024 wrote to memory of 576	2024	powershell.exe	97
PID 2024 wrote to memory of 576	2024	powershell.exe	97
PID 576 wrote to memory of 412	576	csc.exe	98
PID 576 wrote to memory of 412	576	csc.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\ctt.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "irm -useb https://christitus.com/win | iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwimfsud\xwimfsud.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD254.tmp" "c:\Users\Admin\AppData\Local\Temp\xwimfsud\CSCDA551A46BA284EFCA2A94FE52B3B52D4.TMP"
      4⤵
      PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD254.tmp

Filesize
1KB

MD5
a63ce5ea36c501ffb4baa65a52cc2795

SHA1
01649931b6c758c34d91594fd718e8c672cf1940

SHA256
2e26f2b451f81fec4554e751ac676724fd5bb30db33c632b57fd8bca2901f7fe

SHA512
282a8c529d07b8c6c9c2da9fe2f0d0780d9c756a2c7b60461554faf8d6bbf9259fdbccfff5d541ea3be398d575bb7182c3f68ff6837c306dff2dedd92265c033

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5fkvgva.e2v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwimfsud\xwimfsud.dll

Filesize
3KB

MD5
864685e2400cbca8ff17f2699d029ebe

SHA1
30c7b93cf5588a9fd27378f44d409be1f20ffa95

SHA256
16818a815da82c8416b4ed8eafc0c7c91d4ae8371b9c3334a3a3b2d02f26f42d

SHA512
6b9a22a5250f93d6cbd5535fd34c13aa39d6633eb5083dd504129004797bb1ae4f9277ab53b052152769558e7e6e70f1e5c28dbcb1c8819190117643e75e4dfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwimfsud\CSCDA551A46BA284EFCA2A94FE52B3B52D4.TMP

Filesize
652B

MD5
681185f74bb3b6806b10535ac2984b8a

SHA1
ed60f3064fb4a304ceb3c29d1149a1d5a6be8628

SHA256
b8624d104122863e0f7b731b4d452c0e0129495e79d1d07cde7c711811743b84

SHA512
c6f4d5a923d2c2cbe76cb4c37c73ebf3812a4ac053b51afd54c34831faf46e5ee2319e55c6fd323ca8d803f5e78173e32ef2e5af5399da6c5c23c10d46aaa8fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwimfsud\xwimfsud.0.cs

Filesize
1KB

MD5
66ca8de746bd5bc09574b9b5d72a91bb

SHA1
ae5b33f83239264d6202d1b9fdff566e851b85e4

SHA256
8221e96e5aef72f45e31a858a97638c7f2fc0bad68f6a21d92edb26cfba20f2b

SHA512
80d6b675b08acc1bdd65da19938c2a30a0bdb4ba75459d2677e56345720a5ce5590ace5aae48f2ca1bb14315cd73c40adb841af0ff917799a6a8e5963871e74a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwimfsud\xwimfsud.cmdline

Filesize
369B

MD5
3b3eea92a564f68002d1b4783a5dae92

SHA1
263a824541253e58801e567d9521a0c275818501

SHA256
5ce029a67f2aba4cb1a889b95bff6ccd52281389abe5c330627028b6531ef131

SHA512
11cb2d447a93cf680b2468c9eaf0205a01a8bc775c39b9e369e4cafda6a59578d4235397688a615ec82e6b158857799cac88c83affac281814459d532062de75

Download Submit
memory/2024-14-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-23-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-16-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-18-0x00000232D2B70000-0x00000232D2BA8000-memory.dmp

Filesize
224KB

Download
memory/2024-19-0x00000232D2550000-0x00000232D255E000-memory.dmp

Filesize
56KB

Download
memory/2024-17-0x00000232D2540000-0x00000232D2548000-memory.dmp

Filesize
32KB

Download
memory/2024-20-0x00007FF8CFC13000-0x00007FF8CFC15000-memory.dmp

Filesize
8KB

Download
memory/2024-21-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-22-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-15-0x00000232D2CA0000-0x00000232D31C8000-memory.dmp

Filesize
5.2MB

Download
memory/2024-24-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-25-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-0-0x00007FF8CFC13000-0x00007FF8CFC15000-memory.dmp

Filesize
8KB

Download
memory/2024-13-0x00000232D25A0000-0x00000232D2762000-memory.dmp

Filesize
1.8MB

Download
memory/2024-12-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-11-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-1-0x00000232D1F30000-0x00000232D1F52000-memory.dmp

Filesize
136KB

Download
memory/2024-38-0x00000232D3CC0000-0x00000232D3CC8000-memory.dmp

Filesize
32KB

Download
memory/2024-40-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download