33e45ddb990c72ac719f1fad9f17b15201bd8c508b9a50d67c42c84d169c8e40

Analysis

max time kernel
36s
max time network
33s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
31-01-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Generar.cmd
Size

20KB
MD5

790fe7db1e293a9b7697a7ad80b24477
SHA1

393a2697ab0056dc0e25411084b1f37c344f6922
SHA256

33e45ddb990c72ac719f1fad9f17b15201bd8c508b9a50d67c42c84d169c8e40
SHA512

5d407b9116be6427eaadd41c587ccdc1f5ba3051b532ed016a0847373dc080b8d9f0a86e8e1d761b9b296250dd4648b1e20cfbcf8abd5007e1948b55d8512991
SSDEEP

192:BHzSSRPDl5qn9EgdIgGKEom9zPNJYQYEoy3YOiNawJ3LSsyTkCPcv:1/C9vw/ejmQOFkCPcv

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData?audienceFFN=492350f6-3a01-4f97-b9c0-c7c6ddf67d60

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData?audienceFFN=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&osver=Client|6.1.0

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1488	powershell.exe
5	1488	powershell.exe
7	884	powershell.exe
8	884	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1488	powershell.exe
884	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1488	1572	cmd.exe	29
PID 1572 wrote to memory of 1488	1572	cmd.exe	29
PID 1572 wrote to memory of 1488	1572	cmd.exe	29
PID 1572 wrote to memory of 884	1572	cmd.exe	30
PID 1572 wrote to memory of 884	1572	cmd.exe	30
PID 1572 wrote to memory of 884	1572	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Generar.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -ep bypass -c "(New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData?audienceFFN=492350f6-3a01-4f97-b9c0-c7c6ddf67d60','C2R0.json')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -ep bypass -c "(New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData?audienceFFN=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&osver=Client|6.1.0','C2R7.json')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ee7ad0aff36cb8f54ed114798219f57d

SHA1
db1f25175e0b296f19894ae1829c6850b735ca59

SHA256
02f5c813d301dc3d9a73d1be0f55f8933753bd93e6ab6e616f2b83a01d67b17a

SHA512
5afa3b6ebbed05f6218a0077e2a274eec219eeb60d3a47611cd05c3aa7ab54b86c7687f19d72bf748980a7cf538bd6f55a84c2076e30b4c4f973d40c0da1de03

Download Submit
memory/884-72-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/884-71-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/884-70-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/884-69-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/884-68-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/884-67-0x000007FEF34C0000-0x000007FEF401D000-memory.dmp

Filesize
11.4MB

Download
memory/884-66-0x000007FEF4020000-0x000007FEF4A43000-memory.dmp

Filesize
10.1MB

Download
memory/1488-58-0x000007FEF2B20000-0x000007FEF367D000-memory.dmp

Filesize
11.4MB

Download
memory/1488-62-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1488-61-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1488-60-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1488-59-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1488-57-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1488-56-0x000007FEF3680000-0x000007FEF40A3000-memory.dmp

Filesize
10.1MB

Download
memory/1488-55-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download