3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
141s
max time network
137s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/3- Browser/CTT App Installer.bat
Size

217B
MD5

f313871bfb1db4e19da3bfbefdd71207
SHA1

58f254ca81c95711bb974bb3848b4e8d6bd43f2e
SHA256

fcb93b077e0f42c7a5b297dd13f01e4ef1b0af9d08883f25e72c82e2ad794070
SHA512

2008928dad77835328b3f7f0d26441ad449b6ca8ccd394b9c001a778b2f0445b2fecdf537281317db3ce5348fd30b6f5dfba45fea740e2aa2852a7e825c03273

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	2000	powershell.exe
17	2000	powershell.exe
21	2000	powershell.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4276	timeout.exe
648	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeIncreaseQuotaPrivilege	2000	powershell.exe
Token: SeSecurityPrivilege	2000	powershell.exe
Token: SeTakeOwnershipPrivilege	2000	powershell.exe
Token: SeLoadDriverPrivilege	2000	powershell.exe
Token: SeSystemProfilePrivilege	2000	powershell.exe
Token: SeSystemtimePrivilege	2000	powershell.exe
Token: SeProfSingleProcessPrivilege	2000	powershell.exe
Token: SeIncBasePriorityPrivilege	2000	powershell.exe
Token: SeCreatePagefilePrivilege	2000	powershell.exe
Token: SeBackupPrivilege	2000	powershell.exe
Token: SeRestorePrivilege	2000	powershell.exe
Token: SeShutdownPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeSystemEnvironmentPrivilege	2000	powershell.exe
Token: SeRemoteShutdownPrivilege	2000	powershell.exe
Token: SeUndockPrivilege	2000	powershell.exe
Token: SeManageVolumePrivilege	2000	powershell.exe
Token: 33	2000	powershell.exe
Token: 34	2000	powershell.exe
Token: 35	2000	powershell.exe
Token: 36	2000	powershell.exe
Token: SeSecurityPrivilege	5068	TiWorker.exe
Token: SeRestorePrivilege	5068	TiWorker.exe
Token: SeBackupPrivilege	5068	TiWorker.exe
Token: SeSecurityPrivilege	5068	TiWorker.exe
Token: SeRestorePrivilege	5068	TiWorker.exe
Token: SeBackupPrivilege	5068	TiWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2000	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 648	2348	cmd.exe	81
PID 2348 wrote to memory of 648	2348	cmd.exe	81
PID 2348 wrote to memory of 4276	2348	cmd.exe	82
PID 2348 wrote to memory of 4276	2348	cmd.exe	82
PID 2348 wrote to memory of 2000	2348	cmd.exe	87
PID 2348 wrote to memory of 2000	2348	cmd.exe	87
PID 2000 wrote to memory of 2740	2000	powershell.exe	93
PID 2000 wrote to memory of 2740	2000	powershell.exe	93
PID 2740 wrote to memory of 792	2740	csc.exe	94
PID 2740 wrote to memory of 792	2740	csc.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\3- Browser\CTT App Installer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:648
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "iwr -useb https://christitus.com/win | iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fowep1di\fowep1di.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3FC.tmp" "c:\Users\Admin\AppData\Local\Temp\fowep1di\CSC24E7006BA1044ABBAECB20AE5D69979E.TMP"
      4⤵
      PID:792

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC3FC.tmp

Filesize
1KB

MD5
5ec2ae0d179e37fe8f984d5d20b81b77

SHA1
6f10cabc8f0c97d1d481ac0bfecfc3f920ed9a86

SHA256
a24ea1312a44342f104a1575342f4b5f567652cd7c973a65e9b392fcdcd2bb94

SHA512
5b30956c696ef40edbb84d55effcf20597785838dfc5a97d6eea1d5f8870f266eb498750928b7212625951baa570682f6396f2a2970d9a6dc395f468bd98f083

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzf0omam.y0j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowep1di\fowep1di.dll

Filesize
3KB

MD5
fafa065b5b6787ad6e44f9897a41d097

SHA1
ddb427999324e6ae3407edfd871ec264b57fa67d

SHA256
dc843bbd0133ca7c7c973b157e6e21baf3f7496adb2a2d1ab71429257d786a6d

SHA512
12915630a1315620431019a9fcf37cc656f6de18239e4642901a051b0a306da13987f660d7fcc2854df681c55b178a2816bafcb08fdcb355b09148e4081eb31a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fowep1di\CSC24E7006BA1044ABBAECB20AE5D69979E.TMP

Filesize
652B

MD5
8230aa8616d2fbf42935b5977eef0212

SHA1
08d162db020343c1133fa7158713c8368bd10c17

SHA256
06e5d24137e78b0fe7395caf44cf5181e8ac4e6f962824cb9887a0cf35833f32

SHA512
a623c8c2d874949500912445beaaaa8c52dcf8b8b329c98a3ede7a04c0352d191298327993082d76f2366fa96b3ff53e7f8204c499d30b033f437a2890a08dd2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fowep1di\fowep1di.0.cs

Filesize
1KB

MD5
66ca8de746bd5bc09574b9b5d72a91bb

SHA1
ae5b33f83239264d6202d1b9fdff566e851b85e4

SHA256
8221e96e5aef72f45e31a858a97638c7f2fc0bad68f6a21d92edb26cfba20f2b

SHA512
80d6b675b08acc1bdd65da19938c2a30a0bdb4ba75459d2677e56345720a5ce5590ace5aae48f2ca1bb14315cd73c40adb841af0ff917799a6a8e5963871e74a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fowep1di\fowep1di.cmdline

Filesize
369B

MD5
66aa6bb1e7429d0c31c0ca8fb9a8e624

SHA1
a3ccc436ca598a76c97c0ffe253a0c0a5b876db4

SHA256
de560325a65af698e9d971465292ff30396f6955ceb4954092b9294fbe61ec5b

SHA512
5f486ed16a5a3c90891b71fe228e341a48596cdb719b105d9e31f7c54a07113f6f9ca13713fe9c5914218d3d043f9c9e78f7176bf6cb292561cb69cb62e6d8ca

Download Submit
memory/2000-14-0x000001EC63160000-0x000001EC63322000-memory.dmp

Filesize
1.8MB

Download
memory/2000-21-0x000001EC64D80000-0x000001EC64D88000-memory.dmp

Filesize
32KB

Download
memory/2000-16-0x00007FFDE4623000-0x00007FFDE4625000-memory.dmp

Filesize
8KB

Download
memory/2000-17-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-18-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-19-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-20-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-23-0x000001EC64ED0000-0x000001EC64EDE000-memory.dmp

Filesize
56KB

Download
memory/2000-22-0x000001EC64E30000-0x000001EC64E68000-memory.dmp

Filesize
224KB

Download
memory/2000-15-0x000001EC63860000-0x000001EC63D88000-memory.dmp

Filesize
5.2MB

Download
memory/2000-24-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-0-0x00007FFDE4623000-0x00007FFDE4625000-memory.dmp

Filesize
8KB

Download
memory/2000-13-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-12-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-11-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-10-0x000001EC62B50000-0x000001EC62B72000-memory.dmp

Filesize
136KB

Download
memory/2000-37-0x000001EC64C50000-0x000001EC64C58000-memory.dmp

Filesize
32KB

Download
memory/2000-39-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-40-0x00007FFDE4620000-0x00007FFDE50E2000-memory.dmp

Filesize
10.8MB

Download