d7fe1e3c8d18c2f992dfad7fabfb8f9907786eaca269dbc73593801c7474bd13

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLGAPORA.ps1
Size

1.1MB
MD5

603bffe09d8f6c58499a83212f5febac
SHA1

f6616cdfbe8b06b5ee4f95cfee0ed15b74b59466
SHA256

d7fe1e3c8d18c2f992dfad7fabfb8f9907786eaca269dbc73593801c7474bd13
SHA512

788b7cd546c4557fdbbab8a5048f62838106e592836a9616f19cf82759b6486207912f8787ddf5465a4d5ec4d567776cab701b2c1e5b63980c9245ee51884346
SSDEEP

12288:WViPI6z8ay43NxSz0kmLoL2xfZe0I8nU8ECxKFajP:iINi0kmLF5I8P

Score

10^/10

collection

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
107.182.129.168
Port:
21
Username:
ashgdhfg3
Password:
jfghfjgh545

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

jsc.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1772 set thread context of 1664	1772	powershell.exe	jsc.exe
PID 1772 set thread context of 4744	1772	powershell.exe	caspol.exe
PID 1772 set thread context of 3588	1772	powershell.exe	Msbuild.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exejsc.exe

pid	process
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
1664	jsc.exe
1664	jsc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exedw20.exedw20.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeRestorePrivilege	208	dw20.exe
Token: SeBackupPrivilege	208	dw20.exe
Token: SeBackupPrivilege	208	dw20.exe
Token: SeBackupPrivilege	2516	dw20.exe
Token: SeBackupPrivilege	2516	dw20.exe
Token: SeBackupPrivilege	208	dw20.exe
Token: SeBackupPrivilege	208	dw20.exe
Token: SeDebugPrivilege	1664	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

1664 jsc.exe

pid	process
1664	jsc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

powershell.execaspol.exeMsbuild.execsc.execsc.exe

description	pid	process	target process
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 1664	1772	powershell.exe	jsc.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 4744	1772	powershell.exe	caspol.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 1772 wrote to memory of 3588	1772	powershell.exe	Msbuild.exe
PID 4744 wrote to memory of 208	4744	caspol.exe	dw20.exe
PID 4744 wrote to memory of 208	4744	caspol.exe	dw20.exe
PID 4744 wrote to memory of 208	4744	caspol.exe	dw20.exe
PID 3588 wrote to memory of 2516	3588	Msbuild.exe	dw20.exe
PID 3588 wrote to memory of 2516	3588	Msbuild.exe	dw20.exe
PID 3588 wrote to memory of 2516	3588	Msbuild.exe	dw20.exe
PID 1772 wrote to memory of 2036	1772	powershell.exe	csc.exe
PID 1772 wrote to memory of 2036	1772	powershell.exe	csc.exe
PID 2036 wrote to memory of 1120	2036	csc.exe	cvtres.exe
PID 2036 wrote to memory of 1120	2036	csc.exe	cvtres.exe
PID 1772 wrote to memory of 3704	1772	powershell.exe	csc.exe
PID 1772 wrote to memory of 3704	1772	powershell.exe	csc.exe
PID 3704 wrote to memory of 4528	3704	csc.exe	cvtres.exe
PID 3704 wrote to memory of 4528	3704	csc.exe	cvtres.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\GOLGAPORA.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 780
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 776
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6EE.tmp" "c:\Users\Admin\AppData\Local\Temp\guas4yia\CSCA75B7CE7DA6B4F4A9F346CEE2FE13919.TMP"
3⤵
PID:1120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC37F.tmp" "c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\CSCCCA6F00BEDA249459F3C28CED5DD1E7.TMP"
3⤵
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA6EE.tmp
Filesize
1KB

MD5
d5150f473af1bf46495eda787f0ff618

SHA1
54c249c2d9e56755158a1d11f7fd7ddb4cc8acbd

SHA256
655f4d19ed5c30150cc784c2d67b0020dc3fe4aa52ac8dfe76375f704372a267

SHA512
d0489215cfcff08266b660e1314e95a86bccf25f50984d34b1735f637ff3ac191082101ae5c7fbb7f505255b22296f0f92ef74e927615e42701247e419636e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC37F.tmp
Filesize
1KB

MD5
2ab9bc4233c3b35b7a996b1f5cb48b1d

SHA1
7002bdcf53647ada41813e203687537867539c23

SHA256
237ccc0478e9c60d1307f4a7d88b143bf10610655a83770cfed5047b8a823b9d

SHA512
fb72ae0b26279a9914de89a2526835378c0c5a0f247477fa68f0d2e26c0ef0e30d02bb663d57e56d027742e32df2015434ea32f9e5a0a26d685af63a0b100040

Download Submit
C:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.dll
Filesize
3KB

MD5
3eeb0eef673e614d1bfe11750c3daaec

SHA1
0baea4e5fd3065ed31f3776510ba37e8db6baa1e

SHA256
2344b97d9338b224982da44caaafec61c47e70dc0f484bfae179836295db9544

SHA512
d3e9096b7fc9105335f64ade6dec5a2d7880a8c852079e99239528aaf139fb891321b9931313e589b06e99290197b0dc15b893bcf3d05d82eba358d3d1334861

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.dll
Filesize
3KB

MD5
54f3289eda281dc267299103d89fcd91

SHA1
a5684274df4caafbd6aacabfaf62b601b98c1779

SHA256
7e05169e878ec3c6e98977d4e9da4b2a13a591d1c092ffc7362af242b867b0af

SHA512
1fb7c390856896aad9c213708383b3df1aa76ff36342f7b9e94295531d2f92f63b1417e1b1310b5aa9577545728d2f5b150b5b929f6a671ac57463588d37b3da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guas4yia\CSCA75B7CE7DA6B4F4A9F346CEE2FE13919.TMP
Filesize
652B

MD5
4cd00718d33c0004f561b44d4fcb800f

SHA1
7a8dfb05f86a559041b8bef5fb3c64f2953a113d

SHA256
53e7cd1717b98f5ad176c0cca3e6a3e2cfb662ff43cfa2421b3027b7de2bc091

SHA512
7fa611438896de622006ebfd3a843bb4823b6d5c9dba2b49c15da6409dd7d93d649f2dbd592d5212294f318402ecbcb99a2d8cbda21d3bf0a8b5a66a8ad15033

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.0.cs
Filesize
424B

MD5
d05db7ca65c16470a87f4c4007e9e026

SHA1
ab4a5e6b4fbc331c345d88c39239f003f8dd3da7

SHA256
c1412a0d2269b59df9d6b003b2f82f9479040dae4c4e12629db5845a6ac4c960

SHA512
825d664f3df2ad4ef8b1e501e6a99aaae7d54db59b9308c34ad3d64b07a6792412beded53919ea8bf9e137f4a7e8aa7ac388a036ab256a1cce201a208ef311cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.cmdline
Filesize
369B

MD5
9223eb4acb151325068de125902530a8

SHA1
c1fcbf9f6964c0459061a75afc2dc229c6290e57

SHA256
5b2aee94c66db0ce3db7e6c48eef693f974cba1e1ef23391c256370dc2b9866d

SHA512
4d7b4a108388696869bdff19b059575abd7ce33d79663e1d5a8588e72506e359b2bacacd3377c1cb1d50e585e7db3b184b791c406d9b64784193d42c5d204a97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\CSCCCA6F00BEDA249459F3C28CED5DD1E7.TMP
Filesize
652B

MD5
3b037bbccc99bf336100031cc53e7116

SHA1
48f181605f3a0489589972153e5507661f8ebcd2

SHA256
9f744deb057ebca01299d5b39c849f5223a2bc8b3555b5dfa92326f67a14d7c2

SHA512
92801c6e7bf83899f86b17b359bcbd055c151987bea03ccf64c392d21d65e2b1577dfb50bd82f0e7a89c5c0e93e202fe84541f88d75dc909020ffe56710c5620

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.0.cs
Filesize
424B

MD5
5b0a710c68952a280e3737f249a789bb

SHA1
cfd4349b3ebe8232b342fa6667e63d8027fcd26b

SHA256
32781e50bffd54bf50e075fc3c5fea9bf02030c8aeb34344cf15592d702973ad

SHA512
37efadb9ecade74d0f57bf0c5f5ff254203f952a7b54443433dadbc1e720d294ac6e3694a016520b99747a9856dc523d8a901f209285dba53863dd2e3e64e8ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.cmdline
Filesize
369B

MD5
8538aa851ce5fe4f5f3ece4846816329

SHA1
d8f9c9fe1b5937f1a943e7dda3531948bbc8418a

SHA256
63b1660e9a50f5024d3118b5812a162b133908479fec2b88dd22f188bf61617c

SHA512
ce4a9b728ad3a998ab9b5f8c4bf34e005e5f8d7d24cd124e1ce514e120772a6b154cca5f89fff7f2150137d70c2e21be25322ef626c16000ec179dad6a4abe93

Download Submit
memory/208-141-0x0000000000000000-mapping.dmp

Download
memory/1120-156-0x0000000000000000-mapping.dmp

Download
memory/1664-146-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/1664-147-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/1664-148-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/1664-144-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/1664-151-0x0000000006AE0000-0x0000000006B30000-memory.dmp

Filesize
320KB

Download
memory/1664-152-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

Filesize
40KB

Download
memory/1664-136-0x000000000047DA9E-mapping.dmp

Download
memory/1664-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1772-132-0x0000026961AF0000-0x0000026961B12000-memory.dmp

Filesize
136KB

Download
memory/1772-167-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download
memory/1772-134-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download
memory/1772-133-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-153-0x0000000000000000-mapping.dmp

Download
memory/2516-142-0x0000000000000000-mapping.dmp

Download
memory/3588-149-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/3588-143-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/3588-140-0x000000000047DA9E-mapping.dmp

Download
memory/3704-160-0x0000000000000000-mapping.dmp

Download
memory/4528-163-0x0000000000000000-mapping.dmp

Download
memory/4744-150-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-145-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-138-0x000000000047DA9E-mapping.dmp

Download