Overview

overview

8

Static

static

3

Qt5Concurrent.dll

windows7-x64

1

Qt5Concurrent.dll

windows10-2004-x64

8

Qt5Core.dll

windows7-x64

1

Qt5Core.dll

windows10-2004-x64

1

main.exe

windows7-x64

1

main.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    92s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    31.4MB

  • MD5

    0e440a5f80e0be433a3d50b4baa4cedd

  • SHA1

    40834f0f9d6a4ab3f055f19d9515e0a5077e96c4

  • SHA256

    f192bbf42dcf83453ec863030a9de029a903e7824ef584d828ee5db5b59f6c06

  • SHA512

    b05eddbadfc43fe7867474f77a71a6437e79af925d8e92154b424a2d5b2ab9c78d6ca9a18ac6623700274c8e15503268f2f0e9b3d634b8c497d88b499ac3aabd

  • SSDEEP

    393216:qQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg096l+ZArYsFRlR:q3on1HvSzxAMN0FZArYsJ

Score
5/10
discoveryexecution

Malware Config

Signatures

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get model"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic diskdrive get model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4260
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4480
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-WmiObject Win32_PortConnector""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_PortConnector"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0soazc4b.fpv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3588-3-0x0000014D2D6A0000-0x0000014D2D6C2000-memory.dmp

    Filesize

    136KB

    Download