d257ccb871f76dc160811fcfce87770bbced5aa97dbcb7c7912ebbccd353fca4

Resubmissions

17/05/2024, 18:01

240517-wlx2dabf85 10

17/05/2024, 17:59

240517-wk1e4sbe9x 10

Analysis

max time kernel
456s
max time network
459s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17/05/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/Office Installer x86.exe
Size

9.0MB
MD5

c2f8f016aa58b9a0be33378f911185df
SHA1

c043b1630742ce321fcff02946ca2e6e758c6325
SHA256

621bc8871ab00c23151a99f2ea4c2dbadd55b86eae623fc4370276e0897ae5b8
SHA512

4c431246f01b974e3ad2a06ed90d0ee824a3c9338246c99a13a0ec8dea9fbcd9da5aa65a991ea74f9359954ca9b0a0039bde95060c4831cefe05d920c8530419
SSDEEP

196608:PLivur4OIag6AiQBhyQbEAkZQdnkW9AVSGfGIJXcaI6HMaJTtGb:PLiv6Iazyyu4JfdJX

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	5068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5068	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5068	powershell.exe
5068	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	Office Installer x86.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4960	2648	Office Installer x86.exe	77
PID 2648 wrote to memory of 4960	2648	Office Installer x86.exe	77
PID 2648 wrote to memory of 4960	2648	Office Installer x86.exe	77
PID 2648 wrote to memory of 5068	2648	Office Installer x86.exe	79
PID 2648 wrote to memory of 5068	2648	Office Installer x86.exe	79
PID 2648 wrote to memory of 5068	2648	Office Installer x86.exe	79

C:\Users\Admin\AppData\Local\Temp\Setup\Office Installer x86.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\Office Installer x86.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\reg.exe
  "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:4960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\files\ver.txt') }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsrnrexa.1rz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\ver.txt

Filesize
56KB

MD5
028389dd833ca78bfc8e9e10b978ced8

SHA1
7691fb72b4af44ba01d553caa301b3fe1936c304

SHA256
16f19e1dad900af1cdb630401825416399ea6438e29384d5fa9348e0743c9ec6

SHA512
8fb363b6096a972935cda152983b214841b467f2ded074ff6b764dfe4940356d734e751c5863fbd3f6dbb411aa5103283281e786103f4cd2cd65ea5e894f7c4b

Download Submit
memory/5068-7-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/5068-19-0x0000000005570000-0x00000000058C7000-memory.dmp

Filesize
3.3MB

Download
memory/5068-3-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/5068-9-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/5068-10-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/5068-8-0x0000000073C00000-0x00000000743B1000-memory.dmp

Filesize
7.7MB

Download
memory/5068-5-0x0000000004E60000-0x000000000548A000-memory.dmp

Filesize
6.2MB

Download
memory/5068-6-0x0000000073C00000-0x00000000743B1000-memory.dmp

Filesize
7.7MB

Download
memory/5068-20-0x0000000005A40000-0x0000000005A5E000-memory.dmp

Filesize
120KB

Download
memory/5068-21-0x0000000005A80000-0x0000000005ACC000-memory.dmp

Filesize
304KB

Download
memory/5068-22-0x00000000070A0000-0x000000000771A000-memory.dmp

Filesize
6.5MB

Download
memory/5068-23-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/5068-27-0x0000000073C00000-0x00000000743B1000-memory.dmp

Filesize
7.7MB

Download
memory/5068-4-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download