Analysis
-
max time kernel
141s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16-12-2024 09:54
General
-
Target
lossless scaling/lossless scaling/Lossless Scaling.exe
-
Size
155KB
-
MD5
026ee87ab32b3796029c0538a3c2ba3f
-
SHA1
4df028e652dcb57a413624ed478f6726aa404ec8
-
SHA256
aa36385f8d2b2fb00b3f4936290a3da6de35297b58e30f60d97ef42e79a83881
-
SHA512
99920da38e9b57ca70085907d55ef2a521a769201dfc5e3f01d928a6208f2d89b0fbdd3a1e0b3124fd48646349ecfce24871431578d98b4e00a40a15aa8e37a9
-
SSDEEP
3072:g46p7RATueBb6sKGyLY1hhhhhhhhhhhhhhhhhhhhhhhOCD:n6pWTuet1V1hhhhhhhhhhhhhhhhhhhhJ
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lossless scaling\lossless scaling\Lossless Scaling.exe"C:\Users\Admin\AppData\Local\Temp\lossless scaling\lossless scaling\Lossless Scaling.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\language\en-US\hiberfil.ps1"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe"C:\Users\Admin\AppData\Local\Temp\lossless scaling\lossless scaling\language\uk-UA\LosslessScaling.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=LosslessScaling.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E29E156-37D0-46C6-B2D3-12E41174E00C} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5737d189cc00cec86b6fd106d9d3d603b
SHA17cb5edcf27e170331f7ab31c9f19b8ba6cba7b17
SHA256ae16a439b74d8ab3c991e61a7c2538beb80a982c1282fa8643d656d020b24b15
SHA51269b7953dba79fd37077c998381cffae423ff1cadcb6fe8f413a568616a212c5ab0dd41143e8d2ed3cf4e88e843b5f6bf1387c807c194fcf44357d13bc65f7186
-
Filesize
342B
MD5b414ce0fc4ed115cc0c4034f932a6597
SHA1deaf87291fffeb3603c834cbddd13ba7b83eab6f
SHA256ff8e72d4fd5e94f52407119f5f05eee2375be5838612ba5f6e39adcfff3b4b8f
SHA5121e8ea785259e20ec9e0040d0eb18cb9ea36610d14e669fd35a7116d40f17d4a5c32ab7357af03b21605a6119d5d4d80b60a1e586b57cbb6f7551f3d0714665d4
-
Filesize
342B
MD5a01082509b62fa4b44a76788afb339cf
SHA1d3b9eebbaad1c7c1a540a6c9c6645852b4360f24
SHA256807d3fcd19121da583a315362ba9538c7200d72a8489cafaed931cacf5430a1f
SHA5127086da38219bb9945c7eb5faf17d8854b4e9315237ccee1319bc344171876d45c6252ec5491b09c08630e178a35066951e42c95d5122438f2299bf8ae10b23ea
-
Filesize
342B
MD5f1277d7bad15c74764ceca21d6c07b2f
SHA13bb58b9511096981055aef57a1182f33fd5f3a54
SHA256ed30c9894f3230fb3d94c4291704a1b9fa7f7595e19ef5cd04c9290f9c6112bb
SHA512fd84ad500c4f0d158d13aca4a4ecabd1dc3535271d9909cf9e362bccc98be93413016d23ee2cae2f05f4b610b3d22ff387e565f3107986602f93e9c40a7f15c2
-
Filesize
342B
MD57d0a47fa6e225ee26b65b42d0a6991ef
SHA10275f46a2365f8772fc3f842aeebaeebee6e0334
SHA2568dc7ed9910463bfc4a204004c69bbb2a190378fe58cd93aedc25085e3eda2425
SHA512b6fa9033a03b381f2672b10a734e509cef1d67f85776c295c970edb6307ff4b368ede932d530137a5c9c30c9f9cb4149dec3be3ce6cd800aaa2262498dd0330c
-
Filesize
342B
MD58c5737d6e42550f1111958163c9dbe8b
SHA11688de219ee3c5a18de4338113584600c562df49
SHA256e781ec6b15edb91d740fd5ad28fc3386ab4f0851eb5af293ff76f503929b196f
SHA512ccff6d947d28bacc9f2ef2885723d0eb155f6da9a507f7ba3853377775026f8c0356e515a5bb1102bc87f54d26a20be4f6e85083b068292db01b3c71b197beb9
-
Filesize
342B
MD59b12b1c34661c6d1dfaa105f92df7eea
SHA150cfdd2964a48ec877dc22cb3934b325888aa438
SHA256264a752ee5fba457b3162190d020fbaf3d4c227ca680cb754ccaeeda6ee8ecad
SHA5120f230b3e42057952a5758c29da81d9b63351de806b3db8e59d2315fd9391f39abdbcaccf1328b215d247c052366a078d90f96713ae8ebc364ab8e321b2145161
-
Filesize
342B
MD54ecce8337b0aea30e83168d0d321f4a3
SHA1f1d754cc451cc8b9bb65cd58561e77d9464aa764
SHA256350447dabab0bd3a41c206f08d69b95aec453bd4892727b8dd292b4aaafb6a71
SHA5123de6a664b5c69f2babaed3fbc6ae699750e3bfc20e8829536b1eb06274751b6e97df025f5fda8618c9e817bf2761fafae6e94ef71608cd4559b5f487d1c01bed
-
Filesize
342B
MD5e891ccb06c1e419778f5a21a3e0f3fae
SHA1e55c06b9bd07d7831371d5e7af3b5cc0bca3e37c
SHA256bbca57f3b4ecab3276a5e0704fc4e505a336de97bca1e842e2f034f400660edd
SHA512bacc6f51a8829190941cef46fc7518bbd46febb32a4298a4b2248f47a380538aab3431ea4fd79c153a9f673cae3063e810d27913e49ab03dbaca3091a489f0e4
-
Filesize
342B
MD5497d755d9fcd75dddf639c73f7d1e0f5
SHA12fb53da86951407ca114224e5844849a99de6ec2
SHA256d3a243391304ecd5eea4c89f79cbb2648617a15a6dfd7d8218f2b2e63ca373f0
SHA51268b34832b5fa3416f15c37d514a351afff19e183bb7f671e87746c5e488a2157371e8677636a2d2766652b1c4f206b66726be53a392e77621e05e6c0934a88fb
-
Filesize
342B
MD555054572132d2ec569a67af7bb9800b5
SHA1105123e1b2bb080db366d54f2fe100c98a9e0695
SHA2566af592cf5ab26d5e24ee6998cd5c1848705eac9b4d0d4e4c196eb4ba4906269b
SHA512d19b25d163a06438bd2cbd1cd1d82697d7ae3d7d9a58905cd4e7f6d9ad4b0c12774a108c905891926e42936612a74232cedd4f9f9a954562c41f7816b0e2ce81
-
Filesize
342B
MD514afa0349ab81c5fca141c003cd80ce0
SHA1724ac5658dff5b23adc82be8c28c518780464f0a
SHA256d1ca0e0c072ce37e97e9453f22601b0d7c9104676bdc6f357807c3f60c02a294
SHA512755bb08083d60c6d9ace4e691f4cc3038d6a43d817473e3d329aa117893814eaccb5d89f9079680116809fac78f852fe6405dc3f335ff4050ed63eee5933246d
-
Filesize
342B
MD551c42a1f2b21d3b32fdd66fb5f4c48c4
SHA14bfe3164153c30d55741d9723de7029e7b2b232e
SHA256b0c58a0ca1ce2d0a382e3d14337e9d48c2d4e0697c10fc1c29c8ca91e013cab5
SHA512ce47b4983c6b75d786e59d40ae631480b39c96e84d79899f0f92fc9d34f2aedfbd47b2bdf3d1ab5b14be0f4a12567f76df1cb5975530ec5ed8ef716b0867b032
-
Filesize
342B
MD5d9f1389ea815766dcc27968a9917f1c3
SHA14536407a5d6e7af43477862a08b3f5137502354c
SHA2560e304b4ecb57aa0e902c516e9db17614dbe1bc35d5716dbc1d26fea7f211906f
SHA5121265c2a39f600b94b18acc7973c6a700fc7203cbea037ce2017317106c371f4d9693e4158a24ef15792bfdeaedefb3f6cddaa30e842ebb123fb46e5016b27f04
-
Filesize
342B
MD5e8760d53512188917ca2b8aa005be5cd
SHA14fdddd6604a940a6c74e63065356d355d7d95aaf
SHA256f5fe5f02c105414996399a155b359887e3ce8e7e0f78f7552ce78dc85aeafafc
SHA512d7e3fa16553e2bd8ce64ec796aa001551affd1c91d8a9cb19f9c71f8e2039fc38458e66463dbe950c61539df79ab88ccca761034c265100dac55bd5db2702455
-
Filesize
342B
MD5bffb2e79cc2eb2569346380c42fb747d
SHA1cf0ca4e869efce99e3d353e8753e1cd99faeaf0e
SHA2562ebe21cee723d1911c1b31c211ad78576bb4beb9e7d203f5fb77cc15ddab75fa
SHA51245bd023325bbdd19bfaabc2c652a18018fc90822ed1bb53ea0f3ce2f27bc7026bfaa4f46d94db2c791f4b48d76d4a2c1d29892d31cf5b1e3ab695ef423fe3c06
-
Filesize
342B
MD5b226c04a1dcba3dfc254af9c3b2e4456
SHA1467dacb419efef633a608ae82d4258e47964cd9c
SHA256c4ea2502945ec16662daa0010a811eec8ee30b3bc11b6640d5db0cd9e0b18954
SHA512d12423d148674de06ce686e2fe64c3d7a88416c671355f20d7607b5feb9cabdfb7f083ee98701c4284125971a27b1e60819667993609a8c897e44b91bf9b5858
-
Filesize
342B
MD5dfa8d8db90e5b2cd74a898eb0b759247
SHA1e76df9706ba6b664b1e7059aeec044c7b0efb396
SHA256649d69887d13ac52478dd72705256bad25df37b64daa8cf8943f7653db456361
SHA512ef3a37c33af768e783b3c630034646f618ed2883c86e6c78a80e399e43cc9f7eb559272d6a9bc47538249ba15ada9f692f1e171c2fd2529f5ab23804a93ce711
-
Filesize
342B
MD58a350a7e9af1ccd80bb1f72e2817468d
SHA110564c6c14258ee2cb36fbf084cac21b1cbeb660
SHA256cc976b10fa3be1b5bdcdec6b943c12c403f4da1d4e506450c69dff52afa26daa
SHA5128560cb63199529b03505f39ae4dccbb3ee635f6e05248a2be88b544cdd357ddf262dc988b2ae484d878576a1dbae10a33491df63da3311493d3ff0d35d8c1404
-
Filesize
342B
MD54a32441588d4a93c1b2a15f7e0d457cb
SHA178a52ea0b2edfe5ef02cf83b8d7df5cf2e83b68e
SHA256262534c39f3810f41a2bb8e63833947735c9318de22d70b34803a6b57ffd2255
SHA5128c9a25caa077c09d188d12ed1033bb31e79f9fd58262c963fe06df4417f7e97451f38b73e8642c7d899fcc4cee5b40a05ec126980e10dd21b3d5f7113494672c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD598a99e831c54087770d3fd89f2bb9913
SHA126754b638106f4e2c3bdff6780c574384a129972
SHA25692360a7d4d9bc840a967a86f6bd3651d0d7fb5218d57e3edcd36ad897f908a44
SHA512cae5a9b95ac842902166cf2d67114f311f6bd9227999654f733b2ef16e4daf8fa2ea5fb5908425243226217fe99e87ded7f9d600a2eb668fb3b4f7d4b0974df2
-
Filesize
1.7MB
MD5df3362c56b3925e0eb83e0a10fb448c7
SHA17b82a4de6af8f15994cfa1f179ebf5e0f302e503
SHA2561de06a9918cdd9e8dd95953f1a6b937d490a6eb228b2a67e5a89b09feab810c3
SHA512431dbbf045c8a62cacd7e8236ad343287c574b97684d941fe6f94e702fbb2a19675e1849220fa443616bfe2adec0e2218c42d75889333ca489f064e931891785
-
Filesize
4KB
-
Filesize
176KB