Analysis
-
max time kernel
0s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-12-2023 22:53
General
-
Target
fe196add855b16dc1b8e80729610a4e0.exe
-
Size
3.6MB
-
MD5
fe196add855b16dc1b8e80729610a4e0
-
SHA1
f44efb48cda5958e5603b36d1a59709a847fc0e7
-
SHA256
1545645f6c5ecc9f14ee924de8ad3dea051e24a8fca9b34beedf958cae0c1b90
-
SHA512
78285eb98cefe794720d198509e4ccacfead6546dd0d70594bc137a41c99b6db2d8f5db1a5b674283396165b5fda7a970d34dff376dead59ba67c5e583e2075a
-
SSDEEP
98304:qGk6+Wzyy2Js1c8YlQvtGSpQVYQahXSj68h761:DtZz9msbEbvVY06CQ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 21 IoCs
-
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe"C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-6R8J1.tmp\fe196add855b16dc1b8e80729610a4e0.tmp"C:\Users\Admin\AppData\Local\Temp\is-6R8J1.tmp\fe196add855b16dc1b8e80729610a4e0.tmp" /SL5="$70120,3326047,56832,C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-S2A8B.tmp\gentlemjmp_irow.exe"C:\Users\Admin\AppData\Local\Temp\is-S2A8B.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-S2A8B.tmp\cmd.bat""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-S2A8B.tmp\ex.bat""1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV2⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV2⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV2⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\find.exefind "PID"1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq regedit.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5902 "1⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-VRDSP.tmp\ex.bat""1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-GL5OV.tmp\gentlemjmp_irow.tmp"C:\Users\Admin\AppData\Local\Temp\is-GL5OV.tmp\gentlemjmp_irow.tmp" /SL5="$1F01EC,2930134,56832,C:\Users\Admin\AppData\Local\Temp\is-S2A8B.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5904 "1⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5903 "1⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5901 "1⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5900 "1⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "WINDOWTITLE eq Process Monitor*"1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
756KB
-
Filesize
84KB
-
Filesize
240KB
-
Filesize
756KB
-
Filesize
84KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
240KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
756KB
-
Filesize
4KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB