fa9cf901bd2c9359d2efc09f8adb1baa12ae56b841ba06dd057cefd58c778316

Resubmissions

11-01-2025 14:25

250111-rq9hra1mds 10

11-01-2025 14:22

11-01-2025 14:21

11-01-2025 14:20

11-01-2025 14:15

Analysis

max time kernel
442s
max time network
444s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-01-2025 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toto.ps1
Size

499B
MD5

a54ada657efbbe1395598aae1bdac1f9
SHA1

a7887658eebba20bd97e43010ac5ffd5b972a273
SHA256

fa9cf901bd2c9359d2efc09f8adb1baa12ae56b841ba06dd057cefd58c778316
SHA512

f78a115a61450bd156959371572730c7c6a262907ae6dfc33fbafe77660cc5c5db0e9ca2795750f069efdce8d5f0f033d61aed50097fe89e94d59e3c89e1184b

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3740	powershell.exe
4	3740	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	gezulik.exe
4340	snippingTool.exe

Loads dropped DLL 7 IoCs

pid	Process
4340	snippingTool.exe
4340	snippingTool.exe
4340	snippingTool.exe
4340	snippingTool.exe
4340	snippingTool.exe
4340	snippingTool.exe
4340	snippingTool.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 3408	4340	snippingTool.exe	84
PID 4340 set thread context of 4036	4340	snippingTool.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3740	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1636	4036	WerFault.exe	88
4092	3408	WerFault.exe	84
1776	3408	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gezulik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4340	snippingTool.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	powershell.exe
3740	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 2676	3740	powershell.exe	79
PID 3740 wrote to memory of 2676	3740	powershell.exe	79
PID 3740 wrote to memory of 2676	3740	powershell.exe	79
PID 2676 wrote to memory of 4340	2676	gezulik.exe	80
PID 2676 wrote to memory of 4340	2676	gezulik.exe	80
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3408	4340	snippingTool.exe	84
PID 4340 wrote to memory of 3204	4340	snippingTool.exe	85
PID 4340 wrote to memory of 3204	4340	snippingTool.exe	85
PID 4340 wrote to memory of 3204	4340	snippingTool.exe	85
PID 4340 wrote to memory of 3952	4340	snippingTool.exe	86
PID 4340 wrote to memory of 3952	4340	snippingTool.exe	86
PID 4340 wrote to memory of 3952	4340	snippingTool.exe	86
PID 4340 wrote to memory of 2084	4340	snippingTool.exe	87
PID 4340 wrote to memory of 2084	4340	snippingTool.exe	87
PID 4340 wrote to memory of 2084	4340	snippingTool.exe	87
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88
PID 4340 wrote to memory of 4036	4340	snippingTool.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\toto.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740
- C:\ProgramData\lubvi\gezulik.exe
  "C:\ProgramData\lubvi\gezulik.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\snippingTool\snippingTool.exe
    "C:\Users\Admin\AppData\Local\Temp\snippingTool\snippingTool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1300
        5⤵
        Program crash
        
        PID:4092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1288
        5⤵
        Program crash
        
        PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:3952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:2084
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1336
        5⤵
        Program crash
        
        PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3408 -ip 3408
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4036 -ip 4036
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3408 -ip 3408
1⤵
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lubvi\gezulik.exe

Filesize
14.7MB

MD5
63a4711b6e2e2b01f682f0456b730e28

SHA1
bb744c40bc763e02cd7b25024ed9a2eb33a20d6e

SHA256
cbf7a238f87178015a6ebe45e3eb066bddd0bb8c9870d79062354793fa1ab273

SHA512
be1453ee80b229a06ea0992932631baf76cd88d847a4563dcaf82f031716c518d2b2e99ad3bf9c291db45bd669bacf8bca98045df8d399d195a2e743db747272

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymc3qyc4.sru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\snippingTool\IISEXPRESSHELPER.dll

Filesize
20.9MB

MD5
f3aa192df607ab3ad1fa8b0000b289cf

SHA1
3d5e0dc437d6db534e7fe832909493bf21f196fc

SHA256
d6028eec0db1449f464127062b5fc14e04a6da948a09504cdbb2344cbc571531

SHA512
d52e53fef5d8e617d92e95d9853149b1a7709b84902f980eabbb22eb13cecf536aff7798dc47ba3c2f6279acdbae6f96a168dfbf00e75dc1765b296cce6c20e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\snippingTool\IISRES.DLL

Filesize
246KB

MD5
7e7be515e089034a557acc4c0731c791

SHA1
2681aed2a29db5234a61c5c8c114c2223ac01090

SHA256
079c7701c4148085f2935b64f3075ce88b752c323b91b360fc1c8f242ad4fc69

SHA512
7b656ee001cddc72d36be6d46db4ce37793aba0bc8c8695ede0b890dc841286f4865d4f033c194d50dccfb0283a1c2cddb9b8e6e18b3004322500d3cc6d2bd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\snippingTool\IISUTIL2.dll

Filesize
318KB

MD5
4ab4d86b77a8eac80c9584e442ee9da1

SHA1
5230872c7e1e6db19d9c188401531203950c7c15

SHA256
0ea2228e86e64200f2c23c6c7a8db9ac6b01ae328e2745691f2db4ec97994ca2

SHA512
0cae75a0e9b164b86d3bb7ea984c7bab2d203f6fb302fbe42c364f77a2a657a53c9000def4669d9b368d5ca7548eae590437ac70a36304001ba5c46e7602cfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\snippingTool\nativrd2.dll

Filesize
494KB

MD5
123905eb2127a04224059986c7469459

SHA1
d0065e7ab4670c26ecd4d32b0cebb0ab87e0500a

SHA256
758b292406417adfd3c75674e3bb49747a6691c3611877441aeec006ef96b268

SHA512
3deff398fcac4aa23e8dd07ec2457c46a77203b2853155055c29f3477e22af42bdb8eb0986253cd8531d41715089a948335ef0a0dea1791724ee8bafcdcf20aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\snippingTool\rtinfo.dll

Filesize
50KB

MD5
508d1e0e7cd13831d8cd385f61a703b9

SHA1
a515eccf7e981cbf9f3294614b5b895415a8d6f7

SHA256
37b4243e74f6d7710a2f14bbb7b612ae1c22c726f7f9a12576334ad91d3bf92f

SHA512
df664998450351e4a4ff51210d3620ffbaf90c547210fe5f33affaaaff14df1d616c8653acf2a47ee14b31099d4d09911b9b4b596e1fdb2bdf6205a3956c8ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\snippingTool\snippingTool.exe

Filesize
186KB

MD5
be79abf452e52a1ad083cec345067315

SHA1
bc87412614f086e59c17bbc128c29b13115da9dd

SHA256
b872a7a909e26e6fa6db3f504eda74e08388e238c05f5113f3b3c28d31485dde

SHA512
bea70144e046f7d17d6e6108faf199c86a09dcbda85a74f7b1d6b916622467e64a9c6fb73e34d2f09f9dc1db37c6559e65ec81ac1c56c3d683deb996880ea9c4

Download Submit
memory/3408-532-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3408-531-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3740-12-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-20-0x000001DFF9400000-0x000001DFF9412000-memory.dmp

Filesize
72KB

Download
memory/3740-21-0x000001DFF90D0000-0x000001DFF90DA000-memory.dmp

Filesize
40KB

Download
memory/3740-18-0x000001DFF9810000-0x000001DFF9FB6000-memory.dmp

Filesize
7.6MB

Download
memory/3740-35-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-16-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-15-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-14-0x00007FF8EB653000-0x00007FF8EB655000-memory.dmp

Filesize
8KB

Download
memory/3740-13-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-0-0x00007FF8EB653000-0x00007FF8EB655000-memory.dmp

Filesize
8KB

Download
memory/3740-11-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-10-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

Filesize
10.8MB

Download
memory/3740-9-0x000001DFF8B20000-0x000001DFF8B42000-memory.dmp

Filesize
136KB

Download