444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe
Size

186KB
MD5

6eafc14c149327e90099492a38f19563
SHA1

2749d75cf4adbeb2d6a69234d25bbc4816549085
SHA256

444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da
SHA512

24b84a02a56840acfa323f88575022f4c458ac6409de24d50762ebbf16c8684a54675f389e6f3b4a50237d84f590c1f5461b5d298d1f6f5b27137f704482d168
SSDEEP

3072:EAFHdppuOf+wMSHjnywM0vY9t8Qkh+nS8Y9:tFPMOf+wMAywM0EJksnSl9

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1145879417403494511/XvdwF1kDtpo6uVnirQlo7LEYYnolBJqCZ9jMnYemcfKqVdVQz3R6WTssixblc5eR1xY4

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1936	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2400	NETSTAT.EXE
1476	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
464	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2608	powershell.exe
2016	powershell.exe
2296	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeIncreaseQuotaPrivilege	2532	WMIC.exe
Token: SeSecurityPrivilege	2532	WMIC.exe
Token: SeTakeOwnershipPrivilege	2532	WMIC.exe
Token: SeLoadDriverPrivilege	2532	WMIC.exe
Token: SeSystemProfilePrivilege	2532	WMIC.exe
Token: SeSystemtimePrivilege	2532	WMIC.exe
Token: SeProfSingleProcessPrivilege	2532	WMIC.exe
Token: SeIncBasePriorityPrivilege	2532	WMIC.exe
Token: SeCreatePagefilePrivilege	2532	WMIC.exe
Token: SeBackupPrivilege	2532	WMIC.exe
Token: SeRestorePrivilege	2532	WMIC.exe
Token: SeShutdownPrivilege	2532	WMIC.exe
Token: SeDebugPrivilege	2532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2532	WMIC.exe
Token: SeRemoteShutdownPrivilege	2532	WMIC.exe
Token: SeUndockPrivilege	2532	WMIC.exe
Token: SeManageVolumePrivilege	2532	WMIC.exe
Token: 33	2532	WMIC.exe
Token: 34	2532	WMIC.exe
Token: 35	2532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2532	WMIC.exe
Token: SeSecurityPrivilege	2532	WMIC.exe
Token: SeTakeOwnershipPrivilege	2532	WMIC.exe
Token: SeLoadDriverPrivilege	2532	WMIC.exe
Token: SeSystemProfilePrivilege	2532	WMIC.exe
Token: SeSystemtimePrivilege	2532	WMIC.exe
Token: SeProfSingleProcessPrivilege	2532	WMIC.exe
Token: SeIncBasePriorityPrivilege	2532	WMIC.exe
Token: SeCreatePagefilePrivilege	2532	WMIC.exe
Token: SeBackupPrivilege	2532	WMIC.exe
Token: SeRestorePrivilege	2532	WMIC.exe
Token: SeShutdownPrivilege	2532	WMIC.exe
Token: SeDebugPrivilege	2532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2532	WMIC.exe
Token: SeRemoteShutdownPrivilege	2532	WMIC.exe
Token: SeUndockPrivilege	2532	WMIC.exe
Token: SeManageVolumePrivilege	2532	WMIC.exe
Token: 33	2532	WMIC.exe
Token: 34	2532	WMIC.exe
Token: 35	2532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2528	WMIC.exe
Token: SeSecurityPrivilege	2528	WMIC.exe
Token: SeTakeOwnershipPrivilege	2528	WMIC.exe
Token: SeLoadDriverPrivilege	2528	WMIC.exe
Token: SeSystemProfilePrivilege	2528	WMIC.exe
Token: SeSystemtimePrivilege	2528	WMIC.exe
Token: SeProfSingleProcessPrivilege	2528	WMIC.exe
Token: SeIncBasePriorityPrivilege	2528	WMIC.exe
Token: SeCreatePagefilePrivilege	2528	WMIC.exe
Token: SeBackupPrivilege	2528	WMIC.exe
Token: SeRestorePrivilege	2528	WMIC.exe
Token: SeShutdownPrivilege	2528	WMIC.exe
Token: SeDebugPrivilege	2528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2528	WMIC.exe
Token: SeRemoteShutdownPrivilege	2528	WMIC.exe
Token: SeUndockPrivilege	2528	WMIC.exe
Token: SeManageVolumePrivilege	2528	WMIC.exe
Token: 33	2528	WMIC.exe
Token: 34	2528	WMIC.exe
Token: 35	2528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2528	WMIC.exe
Token: SeSecurityPrivilege	2528	WMIC.exe
Token: SeTakeOwnershipPrivilege	2528	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	powershell.exe
2016	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3040	2300	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	28
PID 2300 wrote to memory of 3040	2300	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	28
PID 2300 wrote to memory of 3040	2300	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	28
PID 2300 wrote to memory of 3040	2300	444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe	28
PID 3040 wrote to memory of 2784	3040	cmd.exe	30
PID 3040 wrote to memory of 2784	3040	cmd.exe	30
PID 3040 wrote to memory of 2784	3040	cmd.exe	30
PID 3040 wrote to memory of 2784	3040	cmd.exe	30
PID 2784 wrote to memory of 2748	2784	net.exe	31
PID 2784 wrote to memory of 2748	2784	net.exe	31
PID 2784 wrote to memory of 2748	2784	net.exe	31
PID 2784 wrote to memory of 2748	2784	net.exe	31
PID 3040 wrote to memory of 2608	3040	cmd.exe	32
PID 3040 wrote to memory of 2608	3040	cmd.exe	32
PID 3040 wrote to memory of 2608	3040	cmd.exe	32
PID 3040 wrote to memory of 2608	3040	cmd.exe	32
PID 3040 wrote to memory of 2532	3040	cmd.exe	33
PID 3040 wrote to memory of 2532	3040	cmd.exe	33
PID 3040 wrote to memory of 2532	3040	cmd.exe	33
PID 3040 wrote to memory of 2532	3040	cmd.exe	33
PID 3040 wrote to memory of 2528	3040	cmd.exe	35
PID 3040 wrote to memory of 2528	3040	cmd.exe	35
PID 3040 wrote to memory of 2528	3040	cmd.exe	35
PID 3040 wrote to memory of 2528	3040	cmd.exe	35
PID 3040 wrote to memory of 1964	3040	cmd.exe	36
PID 3040 wrote to memory of 1964	3040	cmd.exe	36
PID 3040 wrote to memory of 1964	3040	cmd.exe	36
PID 3040 wrote to memory of 1964	3040	cmd.exe	36
PID 3040 wrote to memory of 464	3040	cmd.exe	37
PID 3040 wrote to memory of 464	3040	cmd.exe	37
PID 3040 wrote to memory of 464	3040	cmd.exe	37
PID 3040 wrote to memory of 464	3040	cmd.exe	37
PID 3040 wrote to memory of 2552	3040	cmd.exe	39
PID 3040 wrote to memory of 2552	3040	cmd.exe	39
PID 3040 wrote to memory of 2552	3040	cmd.exe	39
PID 3040 wrote to memory of 2552	3040	cmd.exe	39
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 3040 wrote to memory of 2712	3040	cmd.exe	40
PID 2712 wrote to memory of 2584	2712	cmd.exe	41
PID 2712 wrote to memory of 2584	2712	cmd.exe	41
PID 2712 wrote to memory of 2584	2712	cmd.exe	41
PID 2712 wrote to memory of 2584	2712	cmd.exe	41
PID 3040 wrote to memory of 1476	3040	cmd.exe	42
PID 3040 wrote to memory of 1476	3040	cmd.exe	42
PID 3040 wrote to memory of 1476	3040	cmd.exe	42
PID 3040 wrote to memory of 1476	3040	cmd.exe	42
PID 3040 wrote to memory of 2400	3040	cmd.exe	43
PID 3040 wrote to memory of 2400	3040	cmd.exe	43
PID 3040 wrote to memory of 2400	3040	cmd.exe	43
PID 3040 wrote to memory of 2400	3040	cmd.exe	43
PID 3040 wrote to memory of 1936	3040	cmd.exe	44
PID 3040 wrote to memory of 1936	3040	cmd.exe	44
PID 3040 wrote to memory of 1936	3040	cmd.exe	44
PID 3040 wrote to memory of 1936	3040	cmd.exe	44
PID 3040 wrote to memory of 2016	3040	cmd.exe	45
PID 3040 wrote to memory of 2016	3040	cmd.exe	45
PID 3040 wrote to memory of 2016	3040	cmd.exe	45
PID 3040 wrote to memory of 2016	3040	cmd.exe	45
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 3040 wrote to memory of 2296	3040	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe
"C:\Users\Admin\AppData\Local\Temp\444113051cce66297688bf565a9c1548b846578c39c974552bf682ab4c6179da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS6E9B.tmp\BackUp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:464
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh wlan show profile
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1476
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6E9B.tmp\BackUp.bat

Filesize
18KB

MD5
5b0b01a5c8905aaff5038a38c476e2e6

SHA1
8736d82ba9e574b9d0d021af0a0c70afed88b5f4

SHA256
592efd09ab36e711e42aea5ecf0d79ee6ae19cfa57c67a5bcac4966e27304f66

SHA512
769f1f6ebd76769f492a16888433ffacbdfb8092d43219345d11b7bb33eb8804a816c1bff85c18153f253e3c37a84e6826cfbf8596250ea0437e33ee1f389252

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E9B.tmp\BackUp.bat

Filesize
18KB

MD5
5b0b01a5c8905aaff5038a38c476e2e6

SHA1
8736d82ba9e574b9d0d021af0a0c70afed88b5f4

SHA256
592efd09ab36e711e42aea5ecf0d79ee6ae19cfa57c67a5bcac4966e27304f66

SHA512
769f1f6ebd76769f492a16888433ffacbdfb8092d43219345d11b7bb33eb8804a816c1bff85c18153f253e3c37a84e6826cfbf8596250ea0437e33ee1f389252

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
98885f143a81832fafc5178f35f281e9

SHA1
f19b14a9ae66bb753fe7da9ace44e730256fc1f0

SHA256
7889d454a12240f888967317e25ee924d411f6c42dba60aedfdfb28e8f116f19

SHA512
025c5cc20f78e440799ca4a80e9f3c98f5bed4dddbc1dcf60d6dc321538d44a8864988deadf8cf3dd054b94c9e7a17e3d9bb32195e0861694f16e16c9354400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
68c06b1d0f019676745e95c7f024466b

SHA1
e1656851b1540b68e046de8cd2cf421fd3a5213a

SHA256
e14ddd639eae7e4a5e81524cf6f29f1d619cbdaf3e6db956d6ccf07054df36ec

SHA512
71de38b8ba1671d10a4baa232c055e9467c7a06493f359e0baa26b6da66a0b02dde6b257ca27575b66ce529bceab1b99683a7a5a4caa67da7a2e1f7006224826

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LXXK5OY2D1F59LQD1MR8.temp

Filesize
7KB

MD5
28f5d1a4abcb38e96ee47e69be1dafc6

SHA1
ab1c95c8d5dfb32e07626cedaa408bc88aa64e9e

SHA256
bc87fe7c0ee520746194b276fcca43cf4f0b0c998c7de6d37a8558c92c053b4e

SHA512
23c93c1faf6d6c8802ba1ff8194ddf85bc9a68b7ee9ba522ef4d483fbfefe0b5d8394ab472cc97bb34098591f72d4649f47491696b772092299ff1a649626b7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
28f5d1a4abcb38e96ee47e69be1dafc6

SHA1
ab1c95c8d5dfb32e07626cedaa408bc88aa64e9e

SHA256
bc87fe7c0ee520746194b276fcca43cf4f0b0c998c7de6d37a8558c92c053b4e

SHA512
23c93c1faf6d6c8802ba1ff8194ddf85bc9a68b7ee9ba522ef4d483fbfefe0b5d8394ab472cc97bb34098591f72d4649f47491696b772092299ff1a649626b7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
28f5d1a4abcb38e96ee47e69be1dafc6

SHA1
ab1c95c8d5dfb32e07626cedaa408bc88aa64e9e

SHA256
bc87fe7c0ee520746194b276fcca43cf4f0b0c998c7de6d37a8558c92c053b4e

SHA512
23c93c1faf6d6c8802ba1ff8194ddf85bc9a68b7ee9ba522ef4d483fbfefe0b5d8394ab472cc97bb34098591f72d4649f47491696b772092299ff1a649626b7a

Download Submit
memory/2016-63-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-64-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-66-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-129-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-130-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-131-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/2296-133-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-22-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-20-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2608-19-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download