Analysis
-
max time kernel
117s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
14/01/2025, 15:49
General
-
Target
New folder/lossless scaling/Lossless Scaling.exe
-
Size
155KB
-
MD5
e61a66c68049bf340cb4457e0a87f2e1
-
SHA1
7b31d1e3f0eb1345daaa1cbae0e735be96a842a1
-
SHA256
68798b9b911b0ea26380b38e0580d0620de3e7fd59a502d89b739d28eef83ce9
-
SHA512
17156b9cf8804195670c6dacb3cff67d17de5ae3f9721e2067502a926f4d6f2a9c0d888007ecaf3b16c507744e269c9f30d2179cdc5d502dfdb2711bc0c7e7aa
-
SSDEEP
3072:c6p7RATueBb6sKGyLY1hhhhhhhhhhhhhhhhhhhhhhhOCD:c6pWTuet1V1hhhhhhhhhhhhhhhhhhhhJ
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\New folder\lossless scaling\Lossless Scaling.exe"C:\Users\Admin\AppData\Local\Temp\New folder\lossless scaling\Lossless Scaling.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\language\en-US\hiberfil.ps1"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\New folder\lossless scaling\language\uk-UA\LosslessScaling.exe"C:\Users\Admin\AppData\Local\Temp\New folder\lossless scaling\language\uk-UA\LosslessScaling.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=LosslessScaling.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6679B627-58A5-41D5-ACE3-729964842E1B} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57e81dc1887c45d053d4f096b70a09ba2
SHA12eb126706e602acc35c634a2ea176d6f706b5ed1
SHA256649fd84435a7be2ebbef33ebd2dbed402ead15eaa779fca25f8f41452911e928
SHA5122f0dd954e0cf9322a2c9c194861b613895ed4405a7450b0dae2a8d3c8ce8838897cd8b946fd01d499f55a4a53f8123517b93c855be65b147f940d8ce984780da
-
Filesize
342B
MD59ba8452e463fc6814f9edf5e0dae2ae3
SHA16fa77fb5f8206339ec827e9e3a224c80be4f2f98
SHA256e0557093dc50e732294e90d3df7b61bba3f515e0ccfb414c22f7a1534f04aa5c
SHA5120c8795556ecbd1308e1dedbc3dc380df97f6aa629f14ce1da3544bbac237230719a32df621825d9c2785cbf57160ecd176c76d11c332dc1f8baa9a732dc9ed90
-
Filesize
342B
MD5f80a29eb539f08aa66a17bf865f912a6
SHA1a72fcd72af82f08ff5107839a75023ffe93906ef
SHA256cdb899035e2d4150d1e1f2723e10c1b41a519766a34f1f085a521d4743e7d194
SHA51248ae6d0acd076164078251a5abf7acadf94dc375708cc325e2658d9d6bd0fca6c51d6a1fe64f7b80a0ba3a91288a777a32ba0f4c43609da6361c12f77b3de7c5
-
Filesize
342B
MD5d7bd9296787f19c074a64a5eccd469b3
SHA151fd47fae33938d5cc0b245de270e459b575c430
SHA25603dbc1a33e8ee088d93fb24ad3eb8f5e249e96197e19465a79c3fbf92c50f53f
SHA512351b1bbf0b0519b2ac93e1c7516a987d794bf223f2c5562cb16e1c50560443954873b47a9560520b85e40177c2c9bfa8ee14e402334bb7b705944bb467dbf0d3
-
Filesize
342B
MD5a78793a9386cd04398328474ec417109
SHA11100e67ec2437129ac9294c3042124cafb20e379
SHA25658e38fa5e0ed16804310329ccb1071685189a11f52fc9db7ec307f65f2658ee1
SHA51259622bf294179e592da28ba1c96493fdbc035b5d2d8e44cad378d5ebadbc055992062622f3ea6ebd18ab478273cfb60559967d0adde115fc85be623c4dfbff30
-
Filesize
342B
MD5b1c72933e449f0c1c7ae472fcadc2eca
SHA1a7bfc34348f43caf4a30bc475023fa53d5bd2600
SHA256714acbf56d267a540e7d402ed5fc686868f10c10888566488ec029bb383b279f
SHA51258533f068e8ab1ba07e1a6caaee286c8e0d6527284c6db8e3fc7ff2e314282f71b73f221857b4a1fcc3071a3769e595c39617d43c30728dae1bea25a1ab5b469
-
Filesize
342B
MD54477dd021896c0e28dfd4c76230ec69e
SHA1b6d3fe84acf2a0c1a89fb0dbdac763f3ad42723c
SHA2562290eb62b45af949b73851e30f39afe2114d27bf1cb0a329df661db8aff0e6f9
SHA512ade172d061bf8e222ec9f969943f0d83961f5ca16f5e5161447c39f8f856dc78c92550e9c8485a2bd58a01898be90a4429f7b468f752534ad20dc17c8c732f15
-
Filesize
342B
MD5baf3fc5f419273cef26cc9a0932273fd
SHA1c97b79370c60fef9cf60b29121a9d87acd5ecd31
SHA2565d8177af49dd63109701ba9f7523703acbbb33af501bd37f93fb700d2dde853a
SHA512f70c0241262d0302c8fa9482d43420775f6b750979617beeb71fb4c9146eb3316018b927e462e2f38c71b9097c62e2f302b0f00254d394475e118a062c46b95c
-
Filesize
342B
MD508af058b8a1e7b0deb5f583c96d2b0f2
SHA1598361d37e5e1a60773c2b20399de8f37b89e143
SHA25686d6b4207298e0c4a826f80207ca7e872405486738803157f118d5ea6a2d75a1
SHA512ed988e3927a93344105243febca8fb16e4fec309fd7c5cf7ef401dd30d977172fdf8791c255da61b082dc407dfbecb4b9d1097f82a6c1274ca0e4c332f2ee8bd
-
Filesize
342B
MD5d02ab6b0194dbb27f4ccd3ce5d89eb45
SHA19f1cd33de31a9bab0a17d41c86742f8694a0c811
SHA25618b07b60de581e26749efb04805c60b241ced73ea5f4c2c5955ea67e6d46afde
SHA512644cb15942a5793c18cd4020541dc5f4018498e7cc83501264aabc619b3c7fa975e1959c70e45ba485e297c194a23df049e11aef11f1f4325f88e15b462888dc
-
Filesize
342B
MD52e727fc783c0a2e2f75dcc5c2d9a40b1
SHA145e24be8152c45b6227a8e753611d61cb2c09977
SHA2569ec69d608c1111000aa081be467af3185e9e2f9b44602a53060ac6dec0dadc4f
SHA5122d21d4b18710749e5c231f193755243b41db27d6d611580534892843dce78e68b1f969346e4853cb125807be296f5c89f2e82b4fbc62e0b2a2151410bb138954
-
Filesize
342B
MD50996a4ed70d271ed32d2594ab449dee1
SHA15c5797bb688ab2aabad4486d214136c4738f354d
SHA2561f0fa707e96e7ec9c590a62e9116b578dd6373ad9342238d67de85527d503f0a
SHA51237a37c6fb66c7d64d05e92f07306ad4ca8e323158666071f2f8f64e534ed3966da222c19b5a275f24fbf0b1b81deaabb4e5621b92e4ea2cb74c27bb06ec0dd33
-
Filesize
342B
MD5dbda6b9a02774e44a2ec98807fa971f4
SHA1fdc41e3815d2e4285c690aa359a57b4587f76f1a
SHA2567a5d78d60a070511eb8f5b660fba5afa5fd4de98bb9872289363d8ade2468a6f
SHA5126a4cba73f7f8516ce9eee0213e6d0715e4c376750b6ef62d9f060180cc683dc39de670fc9ac349cbeeb072e5497b94f9f8b198eb6e2fac53139fdfd728d1fba7
-
Filesize
342B
MD5fad2f79f52091be0f03b794f2693b219
SHA1e8f08a9accfdad6e0bdaa583f7c001468b49475b
SHA2563e128f17e88b74f2a2566501ec9443a8b3e391108dc997fbdf49e2875f8569ac
SHA512df33012ebe1e594ad1c182a2a023a5b4ac6b2d6ddb4066fb1b0b3b81806cb3eee770c1e59f60213048089f6ac5163e5ae3fb068595c2cf919bbec0c416845259
-
Filesize
342B
MD57f6578e4816fa0603af1f79b56fdb566
SHA1224d7b1a315aab2cabce0045de7fb5b292cb6ced
SHA2562d73243a3670de216cf4aa6433d55e8152b612442425bfd6871fe634ef362af8
SHA5120b5ec9470221e8a54902fdd30ed3d00d030831c42e6115407807ff2b6d4c6434e572795d29304b511ba566f8f878b46b90cabc547eb0e31e564795d1aa1c1bc5
-
Filesize
342B
MD5e4914a924aab5702deac7ae52f8c034a
SHA1467ff5f6ac35e2fd9fc1db9c35006461b3d8f240
SHA2564a1b65ee669b4975126e64d4a10aaf7faf4fac67133a6e42eb7b583f925a9575
SHA5122d1310cfe34920e3fa8b64207773832577d6274579649097d96145ba473f9bf5b51cd42020133efbb005958970c1db84304d1db2b83f0198ff317265c2cd0cfe
-
Filesize
342B
MD525201ac3c2d2deed84d721311fb40e32
SHA1b09ac9d35a918578b4660f29611081c1290e8355
SHA25686e1877af07ee987c4d9f7b594a85f03b36985a62f24054d9d87b6b8af8af188
SHA512dce82acd51487f40d5457bc9726d68fe3574c4cff01778659e55cdbdde9a1469685b0d460d7f75d110b07739939e634ad250928205d4d338c1e3ea73686fcef2
-
Filesize
342B
MD580fe9ae8dbff8e5a77d8d04a5d63f996
SHA1a09b060cc952f1ffac31f1fb186ae7798c1b2f6e
SHA25690614252ac7127177d1b8f36a035ed553209a52ec26a64d3b6ed7ac04880e278
SHA512dc80b6166ede8e37ba39de3f23b7e3799f3f6321d7e2f5983d13e695dea10c6a1f34b1335763b0d5ffae1eafd6212e46c06a2e3ad3d0dadca6b648c9e7d98617
-
Filesize
342B
MD51bd0388f6a8cc7687a4cc2e84399d3b8
SHA1544c5c4d620a81d0ac6ece641309c22d72252d32
SHA256a49e548866b703b135a16d417e67d84a3f6a4281a750a4c6476c4fd5d295a070
SHA51231786a68fb0369ca6eb38aa858fefabff9cb1de29658b2e77943e90e652beeeb0eb7e4e455d9f7f61633c4ac64d9471a7fac93eb1a90e71132b73a46b74b3b25
-
Filesize
342B
MD5e16f4d19eb9f470f6848fe45b5a634a6
SHA1e44e8db34fdecb2257ef4a74a4526557c173e963
SHA256f8f761c59122f0cb89b480ba46efb40e99d1585127d33f4fa586084109a591d0
SHA51204db0fd506783e93ff711e2f249311b28be3597ba2ceb84fef4e2441a516be99bac9cadb28b7e22345ad607995cfdc688b9d1124d1ed37345c48d6058fd56ef7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD598a99e831c54087770d3fd89f2bb9913
SHA126754b638106f4e2c3bdff6780c574384a129972
SHA25692360a7d4d9bc840a967a86f6bd3651d0d7fb5218d57e3edcd36ad897f908a44
SHA512cae5a9b95ac842902166cf2d67114f311f6bd9227999654f733b2ef16e4daf8fa2ea5fb5908425243226217fe99e87ded7f9d600a2eb668fb3b4f7d4b0974df2
-
Filesize
1.7MB
MD5df3362c56b3925e0eb83e0a10fb448c7
SHA17b82a4de6af8f15994cfa1f179ebf5e0f302e503
SHA2561de06a9918cdd9e8dd95953f1a6b937d490a6eb228b2a67e5a89b09feab810c3
SHA512431dbbf045c8a62cacd7e8236ad343287c574b97684d941fe6f94e702fbb2a19675e1849220fa443616bfe2adec0e2218c42d75889333ca489f064e931891785
-
Filesize
4KB
-
Filesize
176KB