4f14cf8ce74ce7f9e43fe51c5f7a11ede77ecb064a35fb42703dc9a88e57bd26

General

Target

7bec838451244d1f299c09707ea2bdd0.exe
Size

690KB
MD5

7bec838451244d1f299c09707ea2bdd0
SHA1

e8cef05a08b44f916dfe33e05a96cfac9d9e7c41
SHA256

4f14cf8ce74ce7f9e43fe51c5f7a11ede77ecb064a35fb42703dc9a88e57bd26
SHA512

9dcda3d21320e4a962f3dc2ee588d9623de379e241010fd0a08b3ff20b92cc1ff0c118b354395d4539db262c31bfa8ef1d05ca5f29b4e73eeceafc8ca19e78e1
SSDEEP

12288:QuoS1Rnqm/L+t9c+ngaet8jMGYFAT8YXtLNPJfzoTe136:HT1Rqm/kfyGlNFJ7+

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2620 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2620 powershell.exe
2432 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2620 set thread context of 2432 2620 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2620 set thread context of 2432	2620	powershell.exe	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2620 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2620 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7bec838451244d1f299c09707ea2bdd0.exepowershell.exe

description	pid	process	target process
PID 3048 wrote to memory of 2620	3048	7bec838451244d1f299c09707ea2bdd0.exe	powershell.exe
PID 3048 wrote to memory of 2620	3048	7bec838451244d1f299c09707ea2bdd0.exe	powershell.exe
PID 3048 wrote to memory of 2620	3048	7bec838451244d1f299c09707ea2bdd0.exe	powershell.exe
PID 3048 wrote to memory of 2620	3048	7bec838451244d1f299c09707ea2bdd0.exe	powershell.exe
PID 2620 wrote to memory of 2444	2620	powershell.exe	cmd.exe
PID 2620 wrote to memory of 2444	2620	powershell.exe	cmd.exe
PID 2620 wrote to memory of 2444	2620	powershell.exe	cmd.exe
PID 2620 wrote to memory of 2444	2620	powershell.exe	cmd.exe
PID 2620 wrote to memory of 2432	2620	powershell.exe	wab.exe
PID 2620 wrote to memory of 2432	2620	powershell.exe	wab.exe
PID 2620 wrote to memory of 2432	2620	powershell.exe	wab.exe
PID 2620 wrote to memory of 2432	2620	powershell.exe	wab.exe
PID 2620 wrote to memory of 2432	2620	powershell.exe	wab.exe
PID 2620 wrote to memory of 2432	2620	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\7bec838451244d1f299c09707ea2bdd0.exe
"C:\Users\Admin\AppData\Local\Temp\7bec838451244d1f299c09707ea2bdd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Pensler=Get-Content 'C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Pseudometameric.Kur';$Iltet=$Pensler.SubString(51756,3);.$Iltet($Pensler)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2444

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Opskyllede.Bat
Filesize
298KB

MD5
e4e92e70049d292cb8f3713bfb7a7e6f

SHA1
34dfca4470ae249ec10d123f91c42e826fcbba5e

SHA256
bd59428225201e0783ab07e51f9099e198f3fdcf19c96fd27b533fa7a12ff849

SHA512
53be5508ec695d64005f82e1fb1d00a56f6935de39d070271c08ea83aa89493d523b946a8cee24078ec51dc78a7b374ef31b9281c512c05b6e88942dd88bceef

Download Submit
C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Pseudometameric.Kur
Filesize
50KB

MD5
2821633dc3140d8e3d49c68faa02ce8f

SHA1
b2ffe30c043e63e9ba9aa3b845e09db7b13d1b11

SHA256
55854684c415937c5689f08c7100307646199a9cae59b83976bc7d3f838afdd7

SHA512
3e8600a676095d6ef5702042c998f901efbfe87258e1bda5c14d4e759306eb0d93b620ab639e4527146c88e768891d634d4f5dc3e503e5843462207183fde263

Download Submit
memory/2432-22-0x0000000000AF0000-0x0000000001B52000-memory.dmp

Filesize
16.4MB

Download
memory/2620-12-0x0000000073F11000-0x0000000073F12000-memory.dmp

Filesize
4KB

Download
memory/2620-13-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-14-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-15-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-16-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-20-0x0000000006560000-0x00000000077F8000-memory.dmp

Filesize
18.6MB

Download
memory/2620-21-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing