fc6594eecf69dffaea16f0131c645e8518b3438b2ed0aaf297de43f98e1a0d34

General

Target

doc023571961504.exe
Size

723KB
MD5

5d572eb225e9dc9119dd119aadd8252b
SHA1

7f2db9294c7790037fc7c96a638000536a0c10bc
SHA256

3f215a602e7539ebf9d4ec18c590dcff3392bbe3bd86a0f3891c4f4dc97bf66f
SHA512

ed82aa7325955c87df8f637caa27bd776d636034165815d7f312500ce845df1a9f25df41480484084cbed79dd959246ce58cafd467be1ab8d92ecf3b595d4c0b
SSDEEP

12288:QuoS1Rnqm/L+tMtjXl6SRxADTeXZTbdKh8ysikNfIUTe13j:HT1Rqm/kCjXg4uPeXZvE8y/kNfE

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2824 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2824 powershell.exe
2800 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2824 set thread context of 2800 2824 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2824 set thread context of 2800	2824	powershell.exe	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2824 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2824 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

doc023571961504.exepowershell.exe

description	pid	process	target process
PID 1232 wrote to memory of 2824	1232	doc023571961504.exe	powershell.exe
PID 1232 wrote to memory of 2824	1232	doc023571961504.exe	powershell.exe
PID 1232 wrote to memory of 2824	1232	doc023571961504.exe	powershell.exe
PID 1232 wrote to memory of 2824	1232	doc023571961504.exe	powershell.exe
PID 2824 wrote to memory of 2788	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2788	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2788	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2788	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2800	2824	powershell.exe	wab.exe
PID 2824 wrote to memory of 2800	2824	powershell.exe	wab.exe
PID 2824 wrote to memory of 2800	2824	powershell.exe	wab.exe
PID 2824 wrote to memory of 2800	2824	powershell.exe	wab.exe
PID 2824 wrote to memory of 2800	2824	powershell.exe	wab.exe
PID 2824 wrote to memory of 2800	2824	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\doc023571961504.exe
"C:\Users\Admin\AppData\Local\Temp\doc023571961504.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Urrem=Get-Content 'C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Flittingly.Blo139';$Trkpapirets=$Urrem.SubString(54080,3);.$Trkpapirets($Urrem)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2788

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Delmodigs.Dic

Filesize
348KB

MD5
fe63e9758631814e9e2b98df1182a202

SHA1
5083908bb530e7a5fce7f98d6731f2fb392ebf44

SHA256
de426877daa9fe95f0f9ef52272f345fa0e42f0c3e6dd93c5fee4c2ed2d2c814

SHA512
bd9214d977971137c33137f793106e0e40fa014a6180fafa074cd7cd993593997e3a9a25b42ff24a024d2e7a5a33565482a75b1877fa0fbab05670bd709ef233

Download Submit
C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Flittingly.Blo139

Filesize
52KB

MD5
a859b77617f945b829f49dbec2b3efde

SHA1
8e30e4cbfea74491369a1f256c2fa9c7d7e9ae13

SHA256
76b9b5407850f459c1e7fa5e9adffeeb079163c65669696b1a255af94c1d21ca

SHA512
9a1760848f6ad238a595f6ac91f6bb2a1034aa781e32ed6134835fb373864b79c6e8a617a560473475556035ba6dcbb9a52c2eb4ded384b9208477845267dbb6

Download Submit
memory/2800-23-0x0000000000680000-0x00000000016E2000-memory.dmp

Filesize
16.4MB

Download
memory/2824-12-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/2824-13-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-15-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-14-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-16-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-20-0x00000000065C0000-0x0000000009E21000-memory.dmp

Filesize
56.4MB

Download
memory/2824-21-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing