Overview

overview

10

Static

static

3

payment.rar

windows11-21h2-x64

10

Invoice Pe...nt.exe

windows11-21h2-x64

10

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

Defmrkede/...am.ps1

windows11-21h2-x64

8

Analysis

  • max time kernel
    127s
  • max time network
    137s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/02/2025, 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Defmrkede/Crossbeam.ps1

  • Size

    58KB

  • MD5

    798e71f2fb7aeccbf532d4b9c7484b56

  • SHA1

    d22784524ac6412395f51a3fd3fe0cfba04f034c

  • SHA256

    1669d04c0289873aa79409ac3522a90ce116740f52c11eb8833aaf5c8908acb8

  • SHA512

    29f868a51ac1b4c25a4a7d1fad093e6fccc3adc762f8fa791c8e728aaf16a26ce0e43cdf45f955d0152d94ccff514776426bfb9a088cebf77ef9521a642606bf

  • SSDEEP

    1536:IuWZnBGyJTf6U1uxBx174Nsp/0PjUt5hYlH:ULvTf/1uHNcj6XYt

Score
8/10
executionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Defmrkede\Crossbeam.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3500
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4864
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1200
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FEIGX34R\www.bing[1].xml
    Filesize

    328B

    MD5

    9af9c5cabd29f0eeb507c7db7db127bb

    SHA1

    36ec54a565ccf660aba2ef453e447ac80ef5d914

    SHA256

    a7ecd44ccebe553d0b37a60d1dbf4f82964fe8407b4c6b2dfed7b0167d914b90

    SHA512

    86aa7a442315ba1ace37b8998f67b246b7432f4a2336fffa44282240bc7f1884dff5061689048910776814334608b9e9dcc756776308e1c212c161e59cfdefee

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FEIGX34R\www.bing[1].xml
    Filesize

    15KB

    MD5

    acd35853a6731620e214fd64b359c75b

    SHA1

    8e696cb430f3813c1520e7f7396f221ae5b3bd20

    SHA256

    5a204c8d52ed71b69b609923b48c8aaadc544746f27473469590838f4c13308a

    SHA512

    28e9d478b4034a875ef1383a32293a548416db75e9487030149cc4edea8d899995297e4791ecb07ba15ef828aa6fcd4cc04d95d48e8853dde083937e1e6976f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jlb3ulz.zgv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1200-117-0x0000023CC7A60000-0x0000023CC7A80000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1200-206-0x0000023CCB650000-0x0000023CCB750000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1200-119-0x0000023CC7A00000-0x0000023CC7A20000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1200-118-0x0000023CC7AA0000-0x0000023CC7BA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3500-11-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-15-0x0000017C258D0000-0x0000017C258F4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3500-17-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-18-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-19-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-14-0x0000017C258D0000-0x0000017C258FA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3500-13-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-12-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-0-0x00007FF8482A3000-0x00007FF8482A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3500-10-0x00007FF8482A0000-0x00007FF848D62000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3500-9-0x0000017C25700000-0x0000017C25722000-memory.dmp

    Filesize

    136KB

    Download