Analysis
-
max time kernel
74s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 15:23
Static task
static1
General
-
Target
XYZDropper.ps1
-
Size
934B
-
MD5
1c1993547e335066690268b61a80f3d1
-
SHA1
b88c3905e103e70c1386e9fb551a8268e3ea689c
-
SHA256
30e7ebeab787d4c6ec8f2b8ca1c472f0947c0fbfae1e94a460a4089d5a8a63dc
-
SHA512
c302dad7c6ce6aed6b1e04335e0cedb550668ae713f5da212745346090473273a89ccb870b10c725fe85269629ccb13aa97c8e8dd00acf61d9e61f6d251a8182
Malware Config
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 5064 powershell.exe 12 5064 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 2 IoCs
Processes:
Setup.exeInstall.exepid process 3720 Setup.exe 2192 Install.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 4584 regsvr32.exe 4284 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 ipinfo.io 44 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
Install.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeInstall.exeregsvr32.exeregsvr32.exetaskmgr.exepid process 5064 powershell.exe 5064 powershell.exe 5064 powershell.exe 5064 powershell.exe 5064 powershell.exe 5064 powershell.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 2192 Install.exe 4584 regsvr32.exe 4584 regsvr32.exe 4284 regsvr32.exe 4284 regsvr32.exe 4284 regsvr32.exe 4284 regsvr32.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3864 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
powershell.exe7z.exe7z.exe7z.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 5064 powershell.exe Token: SeRestorePrivilege 332 7z.exe Token: 35 332 7z.exe Token: SeSecurityPrivilege 332 7z.exe Token: SeSecurityPrivilege 332 7z.exe Token: SeRestorePrivilege 3320 7z.exe Token: 35 3320 7z.exe Token: SeSecurityPrivilege 3320 7z.exe Token: SeSecurityPrivilege 3320 7z.exe Token: SeRestorePrivilege 4496 7z.exe Token: 35 4496 7z.exe Token: SeSecurityPrivilege 4496 7z.exe Token: SeSecurityPrivilege 4496 7z.exe Token: SeDebugPrivilege 3864 taskmgr.exe Token: SeSystemProfilePrivilege 3864 taskmgr.exe Token: SeCreateGlobalPrivilege 3864 taskmgr.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
Processes:
taskmgr.exepid process 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe -
Suspicious use of SendNotifyMessage 57 IoCs
Processes:
taskmgr.exepid process 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
powershell.exeregsvr32.exedescription pid process target process PID 5064 wrote to memory of 332 5064 powershell.exe 7z.exe PID 5064 wrote to memory of 332 5064 powershell.exe 7z.exe PID 5064 wrote to memory of 3320 5064 powershell.exe 7z.exe PID 5064 wrote to memory of 3320 5064 powershell.exe 7z.exe PID 5064 wrote to memory of 4496 5064 powershell.exe 7z.exe PID 5064 wrote to memory of 4496 5064 powershell.exe 7z.exe PID 5064 wrote to memory of 3720 5064 powershell.exe Setup.exe PID 5064 wrote to memory of 3720 5064 powershell.exe Setup.exe PID 5064 wrote to memory of 3720 5064 powershell.exe Setup.exe PID 5064 wrote to memory of 2192 5064 powershell.exe Install.exe PID 5064 wrote to memory of 2192 5064 powershell.exe Install.exe PID 5064 wrote to memory of 2192 5064 powershell.exe Install.exe PID 5064 wrote to memory of 4584 5064 powershell.exe regsvr32.exe PID 5064 wrote to memory of 4584 5064 powershell.exe regsvr32.exe PID 4584 wrote to memory of 4284 4584 regsvr32.exe regsvr32.exe PID 4584 wrote to memory of 4284 4584 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\XYZDropper.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\vidar.zip -oC:\Users\Admin\AppData\Local\Temp2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\socelars.zip -oC:\Users\Admin\AppData\Local\Temp2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\emotet.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\UEqfzaedtmeFg\wpSWvknAHbeAFMVP.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
5.4MB
MD53c23db5eff4d85d8ff9addb170e32d53
SHA11f109f5b9b17a71e4ef7e200fccab72b21836017
SHA256c2c694174fbf54aa19e05636589ac4eaf81d6b342c96be869bf57da18b930d98
SHA512ad428facaddaba14acc1979ad6d93c4f665f58b4c9d14b28f2c0c1818290abe9dbbbd4e1c464bd8d38caebb101d6e4e85cf85fdaf423a0f3f5d0d134d8953f69
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
481KB
MD596d5b9003eeee689e0e92d66d700cbc8
SHA125306aa64b79a7b75e12a4b099bb3ed4569493da
SHA2568cff070a61e966da876a22d0442e0ad007424b10ba9b7af91541dc3516679c50
SHA512112bdc43f9a902d95797bd1aba2c9fc1bd3b5e7604e27fbccf0b8ea5d4539556ddeb7c09c7094ae730281c8f0f040658a44f1778a8126d2db50c9c976fe99d31
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hs5y4mat.hzl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\emotet.dllFilesize
534KB
MD556bb8500d7ab6860760eddd7a55e9456
SHA1e9b38c5fb51ce1a038f65c1620115a9bba1e383d
SHA256b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59
SHA51283ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84
-
C:\Users\Admin\AppData\Local\Temp\emotet.zipFilesize
289KB
MD5ebe6bc9eab807cdd910976a341bc070d
SHA11052700b1945bb1754f3cadad669fc4a99f5607b
SHA256b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7
SHA5129a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8
-
C:\Users\Admin\AppData\Local\Temp\socelars.zipFilesize
5.2MB
MD5ccaf8b6a14e94e5163c55b0b84a6a97c
SHA147c67a525e642808a1ce9a6ce632bc1e1fd3dfae
SHA256966b5aa687ca823f72ed6054802e3347908fe1ace10336e682d96d5d66db68ae
SHA512e82c8dd091dec5cb4e522296784c8e586a186af10598b6ad9f9feaa996c0898bb6988f602e8a32741a24bcb9f4c11e07d806e3323a46aeaafaee93b7cc1756c7
-
C:\Users\Admin\AppData\Local\Temp\vidar.zipFilesize
324KB
MD5d2078a778e3c07edd8510732dc882485
SHA16c21d8c2bf0ced0b0fc1d8899e36cf674c2fc871
SHA256a1549eabd410f179feb82c288c87b7877cdb925ac15c10b843589e4e4074ff9e
SHA512bff856a9c4763f5dc2a8cf90523822d3f7dda1a0d4cd178fb04d01b645fc4d31e9af4880db22ef541681f488c700044bd18d3c09fb86c465e625ae0866c5dd4e
-
memory/2192-37-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2192-41-0x0000000000CD0000-0x0000000001714000-memory.dmpFilesize
10.3MB
-
memory/2192-34-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/2192-35-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/2192-36-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/2192-39-0x0000000003310000-0x0000000003311000-memory.dmpFilesize
4KB
-
memory/2192-38-0x0000000003300000-0x0000000003301000-memory.dmpFilesize
4KB
-
memory/3864-78-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-67-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-69-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-74-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-68-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-75-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-76-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-73-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-77-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/3864-79-0x000002451FB20000-0x000002451FB21000-memory.dmpFilesize
4KB
-
memory/4584-49-0x0000000002160000-0x0000000002190000-memory.dmpFilesize
192KB
-
memory/4584-56-0x0000000180000000-0x000000018008C000-memory.dmpFilesize
560KB
-
memory/5064-12-0x00007FFB47990000-0x00007FFB48451000-memory.dmpFilesize
10.8MB
-
memory/5064-0-0x00007FFB47993000-0x00007FFB47995000-memory.dmpFilesize
8KB
-
memory/5064-10-0x000002D834E90000-0x000002D834EB2000-memory.dmpFilesize
136KB
-
memory/5064-33-0x00007FFB47990000-0x00007FFB48451000-memory.dmpFilesize
10.8MB
-
memory/5064-11-0x00007FFB47990000-0x00007FFB48451000-memory.dmpFilesize
10.8MB