3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/3- Browser/CTT App Installer.bat
Size

217B
MD5

f313871bfb1db4e19da3bfbefdd71207
SHA1

58f254ca81c95711bb974bb3848b4e8d6bd43f2e
SHA256

fcb93b077e0f42c7a5b297dd13f01e4ef1b0af9d08883f25e72c82e2ad794070
SHA512

2008928dad77835328b3f7f0d26441ad449b6ca8ccd394b9c001a778b2f0445b2fecdf537281317db3ce5348fd30b6f5dfba45fea740e2aa2852a7e825c03273

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	2136	powershell.exe
18	2136	powershell.exe
20	2136	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4324	timeout.exe
3496	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeIncreaseQuotaPrivilege	2136	powershell.exe
Token: SeSecurityPrivilege	2136	powershell.exe
Token: SeTakeOwnershipPrivilege	2136	powershell.exe
Token: SeLoadDriverPrivilege	2136	powershell.exe
Token: SeSystemProfilePrivilege	2136	powershell.exe
Token: SeSystemtimePrivilege	2136	powershell.exe
Token: SeProfSingleProcessPrivilege	2136	powershell.exe
Token: SeIncBasePriorityPrivilege	2136	powershell.exe
Token: SeCreatePagefilePrivilege	2136	powershell.exe
Token: SeBackupPrivilege	2136	powershell.exe
Token: SeRestorePrivilege	2136	powershell.exe
Token: SeShutdownPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeSystemEnvironmentPrivilege	2136	powershell.exe
Token: SeRemoteShutdownPrivilege	2136	powershell.exe
Token: SeUndockPrivilege	2136	powershell.exe
Token: SeManageVolumePrivilege	2136	powershell.exe
Token: 33	2136	powershell.exe
Token: 34	2136	powershell.exe
Token: 35	2136	powershell.exe
Token: 36	2136	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2136	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4324	1724	cmd.exe	83
PID 1724 wrote to memory of 4324	1724	cmd.exe	83
PID 1724 wrote to memory of 3496	1724	cmd.exe	84
PID 1724 wrote to memory of 3496	1724	cmd.exe	84
PID 1724 wrote to memory of 2136	1724	cmd.exe	85
PID 1724 wrote to memory of 2136	1724	cmd.exe	85
PID 2136 wrote to memory of 1280	2136	powershell.exe	95
PID 2136 wrote to memory of 1280	2136	powershell.exe	95
PID 1280 wrote to memory of 880	1280	csc.exe	96
PID 1280 wrote to memory of 880	1280	csc.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\3- Browser\CTT App Installer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4324
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "iwr -useb https://christitus.com/win | iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndqfodi4\ndqfodi4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29BB.tmp" "c:\Users\Admin\AppData\Local\Temp\ndqfodi4\CSC3AA814E36C24EB596B3862FE0D37631.TMP"
      4⤵
      PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES29BB.tmp

Filesize
1KB

MD5
f971f2200611a94d59a8467b88b3cc20

SHA1
bad3a4ee8445a7b1313a82e01ed965708cdb3b29

SHA256
679b6021aaaadadd4b9b10fea0623414482392c8d7abb4da9c2c40e71da47e3f

SHA512
932d2e2292eefb0cb981d6a44701b29f1111c65be5fec4073a2df7eb87ae1b110bb189981ac5c2f16f48c729af715ae18a6b32e2436592b3397b558713b178d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3hxudrn.jha.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndqfodi4\ndqfodi4.dll

Filesize
3KB

MD5
1fae77f7ef32838daa71a615ff3b627d

SHA1
1ca00dda7e3d6d83f85e9f327b348cd983f33c78

SHA256
2c548ac059a077bb43b862c5bf763373f08c9cc075eca83dc08a22f8cf7b017b

SHA512
be69f09f7d3fa6a50feecd8d84f2407d0f3f913e9732eaf74ac2da8c7d8966007f574bfb3acd720a038dd19cbde2b444ad0dc88fab3bb0bdcb894765efdb281a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndqfodi4\CSC3AA814E36C24EB596B3862FE0D37631.TMP

Filesize
652B

MD5
95ecad76fa1b448c46264c1260ad15c2

SHA1
5afc319d687e525db72721e6fcb08dbfc47b5992

SHA256
038e5ada4a87a0ffd287a6d13775594f519f2f8f6c4088fcc0a3c572dde7f50b

SHA512
e6564b1e9621fc31f82f62c4ac62ed7daa8eee0cbdf95a3a3675e34c574482afbb0e1d18b1b1965a6df10837e522289702e6a678bdba071872ac552a3c3fc7eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndqfodi4\ndqfodi4.0.cs

Filesize
1KB

MD5
66ca8de746bd5bc09574b9b5d72a91bb

SHA1
ae5b33f83239264d6202d1b9fdff566e851b85e4

SHA256
8221e96e5aef72f45e31a858a97638c7f2fc0bad68f6a21d92edb26cfba20f2b

SHA512
80d6b675b08acc1bdd65da19938c2a30a0bdb4ba75459d2677e56345720a5ce5590ace5aae48f2ca1bb14315cd73c40adb841af0ff917799a6a8e5963871e74a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndqfodi4\ndqfodi4.cmdline

Filesize
369B

MD5
5397eee0cb62705b2a3ccefc1816e3bc

SHA1
d70fa8ecf3143573ae4b087599c0cdf26cd1bfd9

SHA256
a5a878fd9e5e115af4ec409ff1bdba984783c446176d8b4a43b59819f5b5ae58

SHA512
08a118d5702518873d7eb15e2516b3c42ba9a66402fec65058e02438a2b086ea0afb087123ded5adfab1f7b56aea8ebb8e34238ca1d8ab2885f647358b6830bf

Download Submit
memory/2136-14-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-23-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-16-0x000001FAC1B50000-0x000001FAC1D12000-memory.dmp

Filesize
1.8MB

Download
memory/2136-17-0x000001FAC2250000-0x000001FAC2778000-memory.dmp

Filesize
5.2MB

Download
memory/2136-18-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-19-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-22-0x000001FAC3F70000-0x000001FAC3F7E000-memory.dmp

Filesize
56KB

Download
memory/2136-21-0x000001FAC3F30000-0x000001FAC3F68000-memory.dmp

Filesize
224KB

Download
memory/2136-20-0x000001FAC3E60000-0x000001FAC3E68000-memory.dmp

Filesize
32KB

Download
memory/2136-15-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-24-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-25-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-0-0x00007FFFE1093000-0x00007FFFE1095000-memory.dmp

Filesize
8KB

Download
memory/2136-13-0x00007FFFE1093000-0x00007FFFE1095000-memory.dmp

Filesize
8KB

Download
memory/2136-12-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-11-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download
memory/2136-38-0x000001FAC3430000-0x000001FAC3438000-memory.dmp

Filesize
32KB

Download
memory/2136-10-0x000001FABF2C0000-0x000001FABF2E2000-memory.dmp

Filesize
136KB

Download
memory/2136-40-0x00007FFFE1090000-0x00007FFFE1B51000-memory.dmp

Filesize
10.8MB

Download