Overview

overview

10

Static

static

1

XYZDropper.ps1

windows10-2004-x64

10

Resubmissions

18-05-2024 15:23

240518-ssxgmsaa57 10

18-05-2024 15:23

240518-sspf2aaa48 3

Analysis

  • max time kernel
    74s
  • max time network
    76s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XYZDropper.ps1

  • Size

    934B

  • MD5

    1c1993547e335066690268b61a80f3d1

  • SHA1

    b88c3905e103e70c1386e9fb551a8268e3ea689c

  • SHA256

    30e7ebeab787d4c6ec8f2b8ca1c472f0947c0fbfae1e94a460a4089d5a8a63dc

  • SHA512

    c302dad7c6ce6aed6b1e04335e0cedb550668ae713f5da212745346090473273a89ccb870b10c725fe85269629ccb13aa97c8e8dd00acf61d9e61f6d251a8182

Score
10/10
emotetprivateloaderriseproepoch5bankerexecutionloaderspywarestealertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080
ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\XYZDropper.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:332
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\vidar.zip -oC:\Users\Admin\AppData\Local\Temp
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3320
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\socelars.zip -oC:\Users\Admin\AppData\Local\Temp
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4496
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      PID:3720
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2192
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\emotet.dll
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UEqfzaedtmeFg\wpSWvknAHbeAFMVP.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4284
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4696
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:3600
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3864

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Install.exe
        Filesize

        5.4MB

        MD5

        3c23db5eff4d85d8ff9addb170e32d53

        SHA1

        1f109f5b9b17a71e4ef7e200fccab72b21836017

        SHA256

        c2c694174fbf54aa19e05636589ac4eaf81d6b342c96be869bf57da18b930d98

        SHA512

        ad428facaddaba14acc1979ad6d93c4f665f58b4c9d14b28f2c0c1818290abe9dbbbd4e1c464bd8d38caebb101d6e4e85cf85fdaf423a0f3f5d0d134d8953f69

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        Filesize

        481KB

        MD5

        96d5b9003eeee689e0e92d66d700cbc8

        SHA1

        25306aa64b79a7b75e12a4b099bb3ed4569493da

        SHA256

        8cff070a61e966da876a22d0442e0ad007424b10ba9b7af91541dc3516679c50

        SHA512

        112bdc43f9a902d95797bd1aba2c9fc1bd3b5e7604e27fbccf0b8ea5d4539556ddeb7c09c7094ae730281c8f0f040658a44f1778a8126d2db50c9c976fe99d31

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hs5y4mat.hzl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\emotet.dll
        Filesize

        534KB

        MD5

        56bb8500d7ab6860760eddd7a55e9456

        SHA1

        e9b38c5fb51ce1a038f65c1620115a9bba1e383d

        SHA256

        b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59

        SHA512

        83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\emotet.zip
        Filesize

        289KB

        MD5

        ebe6bc9eab807cdd910976a341bc070d

        SHA1

        1052700b1945bb1754f3cadad669fc4a99f5607b

        SHA256

        b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7

        SHA512

        9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\socelars.zip
        Filesize

        5.2MB

        MD5

        ccaf8b6a14e94e5163c55b0b84a6a97c

        SHA1

        47c67a525e642808a1ce9a6ce632bc1e1fd3dfae

        SHA256

        966b5aa687ca823f72ed6054802e3347908fe1ace10336e682d96d5d66db68ae

        SHA512

        e82c8dd091dec5cb4e522296784c8e586a186af10598b6ad9f9feaa996c0898bb6988f602e8a32741a24bcb9f4c11e07d806e3323a46aeaafaee93b7cc1756c7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vidar.zip
        Filesize

        324KB

        MD5

        d2078a778e3c07edd8510732dc882485

        SHA1

        6c21d8c2bf0ced0b0fc1d8899e36cf674c2fc871

        SHA256

        a1549eabd410f179feb82c288c87b7877cdb925ac15c10b843589e4e4074ff9e

        SHA512

        bff856a9c4763f5dc2a8cf90523822d3f7dda1a0d4cd178fb04d01b645fc4d31e9af4880db22ef541681f488c700044bd18d3c09fb86c465e625ae0866c5dd4e

        Download Submit
      • memory/2192-37-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2192-41-0x0000000000CD0000-0x0000000001714000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/2192-34-0x0000000000A70000-0x0000000000A71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2192-35-0x0000000000A80000-0x0000000000A81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2192-36-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2192-39-0x0000000003310000-0x0000000003311000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2192-38-0x0000000003300000-0x0000000003301000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-78-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-67-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-69-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-74-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-68-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-75-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-76-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-73-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-77-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3864-79-0x000002451FB20000-0x000002451FB21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4584-49-0x0000000002160000-0x0000000002190000-memory.dmp
        Filesize

        192KB

        Download
      • memory/4584-56-0x0000000180000000-0x000000018008C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/5064-12-0x00007FFB47990000-0x00007FFB48451000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5064-0-0x00007FFB47993000-0x00007FFB47995000-memory.dmp
        Filesize

        8KB

        Download
      • memory/5064-10-0x000002D834E90000-0x000002D834EB2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5064-33-0x00007FFB47990000-0x00007FFB48451000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5064-11-0x00007FFB47990000-0x00007FFB48451000-memory.dmp
        Filesize

        10.8MB

        Download