Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 06:24
Static task
static1
Behavioral task
behavioral1
Sample
GOLGAPORA.ps1
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GOLGAPORA.ps1
Resource
win10v2004-20220901-en
General
-
Target
GOLGAPORA.ps1
-
Size
1.1MB
-
MD5
603bffe09d8f6c58499a83212f5febac
-
SHA1
f6616cdfbe8b06b5ee4f95cfee0ed15b74b59466
-
SHA256
d7fe1e3c8d18c2f992dfad7fabfb8f9907786eaca269dbc73593801c7474bd13
-
SHA512
788b7cd546c4557fdbbab8a5048f62838106e592836a9616f19cf82759b6486207912f8787ddf5465a4d5ec4d567776cab701b2c1e5b63980c9245ee51884346
-
SSDEEP
12288:WViPI6z8ay43NxSz0kmLoL2xfZe0I8nU8ECxKFajP:iINi0kmLF5I8P
Malware Config
Extracted
Protocol: ftp- Host:
107.182.129.168 - Port:
21 - Username:
ashgdhfg3 - Password:
jfghfjgh545
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
jsc.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1772 set thread context of 1664 1772 powershell.exe jsc.exe PID 1772 set thread context of 4744 1772 powershell.exe caspol.exe PID 1772 set thread context of 3588 1772 powershell.exe Msbuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
dw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exejsc.exepid process 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1664 jsc.exe 1664 jsc.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exedw20.exedw20.exejsc.exedescription pid process Token: SeDebugPrivilege 1772 powershell.exe Token: SeRestorePrivilege 208 dw20.exe Token: SeBackupPrivilege 208 dw20.exe Token: SeBackupPrivilege 208 dw20.exe Token: SeBackupPrivilege 2516 dw20.exe Token: SeBackupPrivilege 2516 dw20.exe Token: SeBackupPrivilege 208 dw20.exe Token: SeBackupPrivilege 208 dw20.exe Token: SeDebugPrivilege 1664 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 1664 jsc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
powershell.execaspol.exeMsbuild.execsc.execsc.exedescription pid process target process PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 1664 1772 powershell.exe jsc.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 4744 1772 powershell.exe caspol.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 1772 wrote to memory of 3588 1772 powershell.exe Msbuild.exe PID 4744 wrote to memory of 208 4744 caspol.exe dw20.exe PID 4744 wrote to memory of 208 4744 caspol.exe dw20.exe PID 4744 wrote to memory of 208 4744 caspol.exe dw20.exe PID 3588 wrote to memory of 2516 3588 Msbuild.exe dw20.exe PID 3588 wrote to memory of 2516 3588 Msbuild.exe dw20.exe PID 3588 wrote to memory of 2516 3588 Msbuild.exe dw20.exe PID 1772 wrote to memory of 2036 1772 powershell.exe csc.exe PID 1772 wrote to memory of 2036 1772 powershell.exe csc.exe PID 2036 wrote to memory of 1120 2036 csc.exe cvtres.exe PID 2036 wrote to memory of 1120 2036 csc.exe cvtres.exe PID 1772 wrote to memory of 3704 1772 powershell.exe csc.exe PID 1772 wrote to memory of 3704 1772 powershell.exe csc.exe PID 3704 wrote to memory of 4528 3704 csc.exe cvtres.exe PID 3704 wrote to memory of 4528 3704 csc.exe cvtres.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\GOLGAPORA.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7803⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7763⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6EE.tmp" "c:\Users\Admin\AppData\Local\Temp\guas4yia\CSCA75B7CE7DA6B4F4A9F346CEE2FE13919.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC37F.tmp" "c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\CSCCCA6F00BEDA249459F3C28CED5DD1E7.TMP"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA6EE.tmpFilesize
1KB
MD5d5150f473af1bf46495eda787f0ff618
SHA154c249c2d9e56755158a1d11f7fd7ddb4cc8acbd
SHA256655f4d19ed5c30150cc784c2d67b0020dc3fe4aa52ac8dfe76375f704372a267
SHA512d0489215cfcff08266b660e1314e95a86bccf25f50984d34b1735f637ff3ac191082101ae5c7fbb7f505255b22296f0f92ef74e927615e42701247e419636e34
-
C:\Users\Admin\AppData\Local\Temp\RESC37F.tmpFilesize
1KB
MD52ab9bc4233c3b35b7a996b1f5cb48b1d
SHA17002bdcf53647ada41813e203687537867539c23
SHA256237ccc0478e9c60d1307f4a7d88b143bf10610655a83770cfed5047b8a823b9d
SHA512fb72ae0b26279a9914de89a2526835378c0c5a0f247477fa68f0d2e26c0ef0e30d02bb663d57e56d027742e32df2015434ea32f9e5a0a26d685af63a0b100040
-
C:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.dllFilesize
3KB
MD53eeb0eef673e614d1bfe11750c3daaec
SHA10baea4e5fd3065ed31f3776510ba37e8db6baa1e
SHA2562344b97d9338b224982da44caaafec61c47e70dc0f484bfae179836295db9544
SHA512d3e9096b7fc9105335f64ade6dec5a2d7880a8c852079e99239528aaf139fb891321b9931313e589b06e99290197b0dc15b893bcf3d05d82eba358d3d1334861
-
C:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.dllFilesize
3KB
MD554f3289eda281dc267299103d89fcd91
SHA1a5684274df4caafbd6aacabfaf62b601b98c1779
SHA2567e05169e878ec3c6e98977d4e9da4b2a13a591d1c092ffc7362af242b867b0af
SHA5121fb7c390856896aad9c213708383b3df1aa76ff36342f7b9e94295531d2f92f63b1417e1b1310b5aa9577545728d2f5b150b5b929f6a671ac57463588d37b3da
-
\??\c:\Users\Admin\AppData\Local\Temp\guas4yia\CSCA75B7CE7DA6B4F4A9F346CEE2FE13919.TMPFilesize
652B
MD54cd00718d33c0004f561b44d4fcb800f
SHA17a8dfb05f86a559041b8bef5fb3c64f2953a113d
SHA25653e7cd1717b98f5ad176c0cca3e6a3e2cfb662ff43cfa2421b3027b7de2bc091
SHA5127fa611438896de622006ebfd3a843bb4823b6d5c9dba2b49c15da6409dd7d93d649f2dbd592d5212294f318402ecbcb99a2d8cbda21d3bf0a8b5a66a8ad15033
-
\??\c:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.0.csFilesize
424B
MD5d05db7ca65c16470a87f4c4007e9e026
SHA1ab4a5e6b4fbc331c345d88c39239f003f8dd3da7
SHA256c1412a0d2269b59df9d6b003b2f82f9479040dae4c4e12629db5845a6ac4c960
SHA512825d664f3df2ad4ef8b1e501e6a99aaae7d54db59b9308c34ad3d64b07a6792412beded53919ea8bf9e137f4a7e8aa7ac388a036ab256a1cce201a208ef311cb
-
\??\c:\Users\Admin\AppData\Local\Temp\guas4yia\guas4yia.cmdlineFilesize
369B
MD59223eb4acb151325068de125902530a8
SHA1c1fcbf9f6964c0459061a75afc2dc229c6290e57
SHA2565b2aee94c66db0ce3db7e6c48eef693f974cba1e1ef23391c256370dc2b9866d
SHA5124d7b4a108388696869bdff19b059575abd7ce33d79663e1d5a8588e72506e359b2bacacd3377c1cb1d50e585e7db3b184b791c406d9b64784193d42c5d204a97
-
\??\c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\CSCCCA6F00BEDA249459F3C28CED5DD1E7.TMPFilesize
652B
MD53b037bbccc99bf336100031cc53e7116
SHA148f181605f3a0489589972153e5507661f8ebcd2
SHA2569f744deb057ebca01299d5b39c849f5223a2bc8b3555b5dfa92326f67a14d7c2
SHA51292801c6e7bf83899f86b17b359bcbd055c151987bea03ccf64c392d21d65e2b1577dfb50bd82f0e7a89c5c0e93e202fe84541f88d75dc909020ffe56710c5620
-
\??\c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.0.csFilesize
424B
MD55b0a710c68952a280e3737f249a789bb
SHA1cfd4349b3ebe8232b342fa6667e63d8027fcd26b
SHA25632781e50bffd54bf50e075fc3c5fea9bf02030c8aeb34344cf15592d702973ad
SHA51237efadb9ecade74d0f57bf0c5f5ff254203f952a7b54443433dadbc1e720d294ac6e3694a016520b99747a9856dc523d8a901f209285dba53863dd2e3e64e8ad
-
\??\c:\Users\Admin\AppData\Local\Temp\nxsi0v2b\nxsi0v2b.cmdlineFilesize
369B
MD58538aa851ce5fe4f5f3ece4846816329
SHA1d8f9c9fe1b5937f1a943e7dda3531948bbc8418a
SHA25663b1660e9a50f5024d3118b5812a162b133908479fec2b88dd22f188bf61617c
SHA512ce4a9b728ad3a998ab9b5f8c4bf34e005e5f8d7d24cd124e1ce514e120772a6b154cca5f89fff7f2150137d70c2e21be25322ef626c16000ec179dad6a4abe93
-
memory/208-141-0x0000000000000000-mapping.dmp
-
memory/1120-156-0x0000000000000000-mapping.dmp
-
memory/1664-146-0x0000000005770000-0x000000000580C000-memory.dmpFilesize
624KB
-
memory/1664-147-0x0000000005810000-0x00000000058A2000-memory.dmpFilesize
584KB
-
memory/1664-148-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/1664-144-0x0000000005D20000-0x00000000062C4000-memory.dmpFilesize
5.6MB
-
memory/1664-151-0x0000000006AE0000-0x0000000006B30000-memory.dmpFilesize
320KB
-
memory/1664-152-0x0000000006FA0000-0x0000000006FAA000-memory.dmpFilesize
40KB
-
memory/1664-136-0x000000000047DA9E-mapping.dmp
-
memory/1664-135-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1772-132-0x0000026961AF0000-0x0000026961B12000-memory.dmpFilesize
136KB
-
memory/1772-167-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmpFilesize
10.8MB
-
memory/1772-134-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmpFilesize
10.8MB
-
memory/1772-133-0x00007FFC2EB10000-0x00007FFC2F5D1000-memory.dmpFilesize
10.8MB
-
memory/2036-153-0x0000000000000000-mapping.dmp
-
memory/2516-142-0x0000000000000000-mapping.dmp
-
memory/3588-149-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/3588-143-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/3588-140-0x000000000047DA9E-mapping.dmp
-
memory/3704-160-0x0000000000000000-mapping.dmp
-
memory/4528-163-0x0000000000000000-mapping.dmp
-
memory/4744-150-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4744-145-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/4744-138-0x000000000047DA9E-mapping.dmp