Analysis
-
max time kernel
121s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
29-12-2024 04:20
General
-
Target
lossless scaling/Lossless Scaling.exe
-
Size
155KB
-
MD5
7e7e62b1ab8bf27a17536621fd6a0b50
-
SHA1
f1efb5a0b2256fa12b46e0983c1949ce3ace2307
-
SHA256
94d4791c5a5bcb9eed6d5f8c6bcb0df2cf50c0499254f0f49e545a8e84b0013e
-
SHA512
03c48c4e190a95899bdeaabfe079567633ed53a10779e9672ec4f5e4281310392df2e2e3f21a9f03903d4381f7d20a04b1cbc814f50a09c965a495c881d58e35
-
SSDEEP
3072:16p7RATueBb6sKGyLY1hhhhhhhhhhhhhhhhhhhhhhhOCD:16pWTuet1V1hhhhhhhhhhhhhhhhhhhhJ
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lossless scaling\Lossless Scaling.exe"C:\Users\Admin\AppData\Local\Temp\lossless scaling\Lossless Scaling.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\language\en-US\hiberfil.ps1"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\lossless scaling\language\uk-UA\LosslessScaling.exe"C:\Users\Admin\AppData\Local\Temp\lossless scaling\language\uk-UA\LosslessScaling.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=LosslessScaling.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EB69B54-69B5-49B1-8405-48F1850DE352} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5b98934c1e99ab0a86cd1c55fc05b57a2
SHA1621bfe86afc5fa0a2c777082004859902ed5ada5
SHA256adb9865b7c1dc04de8820907343018342dfa6a768005463c3fe2f0f21479ab69
SHA5125141b95aea191aaaa94ebfc67250424eab5816e2beb572c99c9f5d5fe5af9c25d180375aa064217a090493675ddfd5e760d71843f8b4ba7f84169af5ce251351
-
Filesize
342B
MD582fad15f79cdc8cb6d2ebf1f0bc83cf6
SHA1e031f48f38103bfd88abc3a6e253743ef92a8af6
SHA2567c69548cbfae66d06c338d44d839fe18119ef26b6a542340ef5d6b0afc4ef79d
SHA5125a9d21f667bb5c696e36c230d9d52720dbfe6aa59a796f0fec838eea0d962c34954d32731c7798d909149db978c22e4980a7c6b3a8c604d9239fa8b5c82baa1a
-
Filesize
342B
MD53d58973d8b3ad1e7ad8cb15071158f8f
SHA13b6f604db090561a34b69a8561563c5957d0f702
SHA256fd69ab491ebfaff1f8e3cb9aec4914d236b8a4281da1e0184df30c5533875de3
SHA51229404c9cdd114286543997c1ff17cfdc2a98a3438d1e228b55c54d5ac672fe61d259d6e190e9d4740eff30cd64d5f5687eb03378e7a13f34b06f401edf6e3725
-
Filesize
342B
MD55b8f0bc57fac40b0563a5d779a0b6341
SHA1ffc8e674898b456154eef9cc4b08f73db26cc136
SHA256eb80719fe0626655ce270c796da7eda1ae0e477944b572c5062a8270c684f1a8
SHA512309a5708de0d574a6c21fee3790dbfc298fcbac90af202adcdd69fe10a7156ef33a76020bdbe566ef9aad0971f127091b8c3dcbc3750a7000c6aa0cd537ff341
-
Filesize
342B
MD553b837e947bc9066c4b2b0e5b1e090d3
SHA1302f46203de52ee13e6b1f3f25edea76e97feab4
SHA25646bc86ffb271937921d6b74ce22b2be59fb939aa3a41f6a779a28fc4c6411b4f
SHA512597ef458721ec61db431df753930333061854dc23bb9fc9aa5226eb38cf1fcef1ceea092f7ccebf319e12c75e93147c68d376d282b7ca49c2da114828f145aae
-
Filesize
342B
MD570de89d742e03ddcbf3576b62cbf905c
SHA1809413db390813a9a62871ee61c8ba5d7ff2825c
SHA2561fa12069f1b9fc482bfbfac6af1dd86f1035fb39327f270cd6a9db1b660915d2
SHA51219d0199091386a2d9c13da55372d1ebc56917bc175431fe18179a24d545e70e53a3b55e44c36cd7bd05bfdb4ceb37951527fbd2c7290fa62b7f002fdc9166e6d
-
Filesize
342B
MD519536ab0d60ae8e8af8643c63864a7d1
SHA1a6a13cc56751d40319659cbcf70d2e2c55c9325e
SHA256c1333fe8bed91e28431a6e0c03bc2784775b2ffac92c302bc365f8ffef3dd75e
SHA5124f226a7b43470f0de203ce7c0042cf8b9c617fdc0af9634d0370e26d4aa4143a1caec1f1ff200abb224164e1aca7d6cc1cf601fbc188493229004cbfcae4b25d
-
Filesize
342B
MD52c89d36a27b08110d6cbafc0f95bd848
SHA18655a9be0844b94a7b8a137ad418bd4272cbef3b
SHA25665804fb956449efc7975f50419dd7f6077cf1fa119540fa7c2afaa3a79b7fb94
SHA5121fd264cd6d349260d76dee6c51aa06ecfa925b02b8234d5731f262d2b0c4c1fdc5652f72c81431c4896d86d2242c4977980702645311a3059f7971f1eb592442
-
Filesize
342B
MD58d91cb24e96ae76451f78ec14d886db1
SHA1d2f50867be7d164c34be487091306da5ca98fcd1
SHA256d07b1cfcf8ab165ca57258591a82fdceff3581e490d4f4684609178ac6dc5941
SHA512dc2528353644ea98e9d323a9adc986245898b557443680bc771274ef48812090e712a80f386fce1e730265e154fae5825ef18cf7a007b5b39bf07858289726ce
-
Filesize
342B
MD5d5d0f6d3c4ef6a64099202ae7c937cb9
SHA14a417d28b4dd6f84474de5f1701b6670b3cc0d04
SHA2568cae0fec4500219de14d67abb600e973e7fa82a21b261022a612af7cf7d9f74b
SHA5122b792eeeeb5c4b93025de58fe67ea4e799dac7497f921ee2ad6a16a9f22ac796d53af0f45a03acc74bd4e986286ed3f1a8cfb6d1a35a0f4fae7bf244cdeb124e
-
Filesize
342B
MD52756f525ff738c2f878a3f7051ecda18
SHA157af5c7cfabd64b4b79679918683cf36051fa637
SHA2564038a80055fc557dfa44b51c89919b7ee309cde6e4d46d2c197c87dba1c96234
SHA5123287be26ff98edf208ba0ac4e734aa081406139c57fc989e5ebf0cd8c1140b918648d7be740b9dfa5ff2b0a7d6fbb9db14a4956953acc8471a6930d0f02e8c77
-
Filesize
342B
MD5efefcb7ef781ffcead1f49e7164a23d1
SHA1e6a730bf59ae7183c62a7a91473ab8e9acc4cb46
SHA256f2b83aa84658c7a8561a30af20b0fe5ce43b8aaf5cb1f84b757c724ca6b61757
SHA512c96f1ed42732311b861c4c051fa1e2a1ce7cb1b931de62edb0f94fd629b9fb959b88212edf500c1cb7b87c598f1b1ada09c2e1c41742a9f268e78aef931a3c0c
-
Filesize
342B
MD5c45376ccd1f94e74e30da9744cad19f5
SHA1bdf652fee311220caccadb801e411b62a618359e
SHA256d9cda7c5304d2dc98ddb74e8c26fac1b732a023b4332867a59b66566518a6252
SHA512e1e90d588859c1a3e0866338e8793546998dc35ff35a37b61aed1d94f2da7b326a555562f13d95c15d9a2e442c0ffcb84890101f7c5d1a936429fd3268c33c70
-
Filesize
342B
MD50cf3c124dfed77493ee72aabfbef9844
SHA1d5771abf9edd4ac160ead53ed3b210802d276bf9
SHA25632ab3b4bbe34517532f6192efba6a87e712d0c900b17b94edb7bf4f9c1fd8ef3
SHA512bbf57889ad5991488aa94209e9c7fc44ad67f5aa2f59e4ad4da27f0378f86ed4b615e68d1bb6dd3a7f35b19edde1340715f4614bd5b6a3a7a24680a60642472e
-
Filesize
342B
MD5370d13630733160e1f140d9187faa3cd
SHA1375c64b1bb2f176fe3ccc9a32c800187782a673f
SHA256acb48f7d4873d6035355223979894fd5e80b2a204b9bc4add9e4961923514b4d
SHA5121868d3171f98771eab4db0c598fd4747926a3e074da38bbf1224835b204772ea1353362692f325b472072072748cbf23b53346b2edf46451effbcab0ac19e0c3
-
Filesize
342B
MD58ff92db93579526653824a6012e477e8
SHA147f32ebe0163659929f5ae44b322a4cac500642e
SHA2561f57ffd64a4ad672f10d43eb24ecd65ebbc09806b31826918baa0ab9300ce1a8
SHA512b4cf486c92fda4db110ba94ebefad6e20566870f93aebd77336d1a8fe9cdf72477531687faee7370616a205d48e7892e4d5632abf2237df0c6a6369fd0dddfe7
-
Filesize
342B
MD53d95ac834c96c0186c1e52063eea76dc
SHA1e6d24a7f64117fcacba684ee81b32108a25323a8
SHA256db735abd0cda231243925fb75fd5deb94701079473deff1284d7c40d1fea145a
SHA5128461d8c0a5596e20907fb7e98fc742a69cac90b4473df8e893951faa1da2f676048b9793182de01576ba5eb9f0bf308807abe8fe493ac7aae279a83cf67ec219
-
Filesize
342B
MD5387a109dbafd49399e3884125f8220cf
SHA1ab23cb799073c81c21500449147530c61cd078c3
SHA256756fad6f37ee10b7829a1e54d0e03bcbcf64c51f9fee0818243ca8ddc9099f83
SHA5124336f19a9230caf1f45460fbd0970b524d18c2b508b30d95b372d0e8da0f27febbad489caf673691743a98e1206f187bd7b6b33bb0c66603808570128cf05487
-
Filesize
342B
MD55941749e8166732734ff7e56418855fd
SHA1d11b5f67dc57ff612230b88445f233be5d20149e
SHA256370feb20a94ced7d3db3e7dff9d4e2afa6f8598f82d43e3e96b5dcb5636e5672
SHA512129368a88cc6884f4995b346c74c3bf9559e67cea2780d69ddfccd86003946dcaed701aa3c32dd9b70827abceccbd276a07b52aa26d975226b2038d808c636f4
-
Filesize
342B
MD5cc43bbce26536e401289d0fdf9c4a88a
SHA1e473eaa15afa241955e1090d46baf3c76592048c
SHA256976e57332182302c44579f52923cd3cb2d23d5d849acb761877d068b8abf9798
SHA51287ed959cd7a8ea83c2229124c9226727011a4a3b9e7bdea233d8cb85bac0e7a369b1768e5d23384fe9a5ffa933911316205569c22ef2fcc0bbc3f128da5807b8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD598a99e831c54087770d3fd89f2bb9913
SHA126754b638106f4e2c3bdff6780c574384a129972
SHA25692360a7d4d9bc840a967a86f6bd3651d0d7fb5218d57e3edcd36ad897f908a44
SHA512cae5a9b95ac842902166cf2d67114f311f6bd9227999654f733b2ef16e4daf8fa2ea5fb5908425243226217fe99e87ded7f9d600a2eb668fb3b4f7d4b0974df2
-
Filesize
1.7MB
MD5df3362c56b3925e0eb83e0a10fb448c7
SHA17b82a4de6af8f15994cfa1f179ebf5e0f302e503
SHA2561de06a9918cdd9e8dd95953f1a6b937d490a6eb228b2a67e5a89b09feab810c3
SHA512431dbbf045c8a62cacd7e8236ad343287c574b97684d941fe6f94e702fbb2a19675e1849220fa443616bfe2adec0e2218c42d75889333ca489f064e931891785
-
Filesize
4KB
-
Filesize
176KB