c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 16:10

Target

$_13_/PowerRun64.exe
Size

923KB
MD5

efe5769e37ba37cf4607cb9918639932
SHA1

f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256

5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512

33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
SSDEEP

24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk

Score

4^/10

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241123161049.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1980	PowerRun64.exe
2748	PowerRun64.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2844	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2844	PowerRun64.exe
Token: 0	2844	PowerRun64.exe
Token: SeDebugPrivilege	2256	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2256	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2256	PowerRun64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2844	1980	PowerRun64.exe	30
PID 1980 wrote to memory of 2844	1980	PowerRun64.exe	30
PID 1980 wrote to memory of 2844	1980	PowerRun64.exe	30

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241123161049.log C:\Windows\Logs\CBS\CbsPersist_20241123161049.cab
1⤵
- Drops file in Windows directory
PID:2864

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\$_13_\PowerRun64.ini

Filesize
3KB

MD5
27224ee1c79fd0eba472f1b0b453accd

SHA1
6bbeb016c76d82f9c78b79d8e7ba8857f079b156

SHA256
4ba9b54e9f09c7fd52438d667c5069a3ce5e1162b7bf6a07f5b1ef10259cdc03

SHA512
65f968bee5d5709254f55ab3550ffabcc9b8e31c51c2a584386a2ac5982cbd475491fc193c68cb90c58c7ba6d76e3401e23be259718bea5027b4b3f132761ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpsmqxe

Filesize
81KB

MD5
940b1915cadee0e2b33d80799816f6c7

SHA1
2c10e4fec3e8c054055d1ed78757117575f273f2

SHA256
81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

SHA512
cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

Download Submit
C:\Windows\Temp\autBC6C.tmp

Filesize
25KB

MD5
436c1bb98deeccecb73fad945f1dd3dc

SHA1
774313ba911945589971bbc73498d81f060dabe6

SHA256
05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

SHA512
66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

Download Submit